[syslog-ng]Question regarding syslog-ng filter
Aladdin
syslog-ng@lists.balabit.hu
Fri, 9 Jan 2004 14:20:06 +0200
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C3D6BB.AE797650
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I'm using syslog-ng 1.6rc4
Can anyone tell me what is wrong with this filter:
filter f_kern { facility(kern) and (not match("IPTABLES DROP") or not
match("New not SYN:")); };
I still can see lines with IPTABLES DROP in my kernel log:-( Why these
messages still come through this filter? Thanks. What am I missing?
------=_NextPart_000_0008_01C3D6BB.AE797650
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:85.05pt 28.35pt 56.7pt 85.05pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DLT link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>I’m using syslog-ng =
1.6rc4<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>Can anyone tell me what is wrong with this =
filter:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>filter f_kern { facility(kern) and (not
match("IPTABLES DROP") or not match("New not =
SYN:")); };<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'>I still can see lines with IPTABLES DROP in my =
kernel
log</span></font><font size=3D2 face=3DWingdings><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Wingdings'>L</span></font><font size=3D2 =
face=3DArial><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:Arial'> Why these =
messages still
come through this filter? Thanks. What am I =
missing?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0008_01C3D6BB.AE797650--