[syslog-ng]host x.x.x.111 is the same as x.x.x.11 (filter error?)
Balazs Scheidler
bazsi@balabit.hu
Wed, 3 Jul 2002 12:41:11 +0200
On Wed, Jul 03, 2002 at 01:36:51AM -0700, Lubos Vitek wrote:
> Thank you very much for your kind reply!
> It really works as you wrote :-) (with ^...$ RE).
> Now I have one another question. How can I filter out
> this kind of log record:
>
> datum hostX process some text with "xxxxx" string
>
> I want to write it in file for hostX.log, so I wrote
> filter:
>
> filter f_hostX { host("hostX"); };
>
> then I wrote filter for string "xxxxx":
>
> filter f_notxxxxx { not match("xxxxx"); };
>
> and then I used it all in log statement:
>
> log {... filter f_hostX ; filter f_notxxxxx ; ... }
>
> I tried to log something on host hostX with string
> "xxxxx", and I received it in syslog-ng in file
> hostX.log. Why ? What am I doing wrong now ? Please
> sorry if I missunderstand something, but I tried it
> more times with other combinations of filter, but the
> "NOT" statement simply does not work ...
>
> Thank you in advance for your reply...
it did work for me:
here's my config file:
source src { pipe("log.input"); internal(); };
filter f_host { host("balabit"); };
filter f_notxxx { not match("xxx"); };
destination dst { pipe("log.output"); };
log { source(src); filter(f_host); filter(f_notxxx); destination(dst); };
here are the messages I wrote into syslog-ng:
balabit:~/src/syslog-ng-1.5/src$ echo bazsi > log.input
balabit:~/src/syslog-ng-1.5/src$ echo bazsixxx > log.input
balabit:~/src/syslog-ng-1.5/src$ echo bazsixx > log.input
and here's the way I read messages from log.output:
balabit:~/src/syslog-ng-1.5/src$ cat log.output
Jul 3 12:36:56 src@balabit bazsi
Jul 3 12:37:03 src@balabit bazsixx
As you see the second message containing the forbidden pattern is not
written to log.output. (I'm using something a bit post 1.5.18, but no
important changes)
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1