[syslog-ng] Problems with syslog-ng and filters-

Ville Leinonen ville.leinonen at megata.vu
Tue Jul 12 13:25:33 CEST 2005 

Hi,

Thank you this works.

Br,

Ville Leinonen

On Tue, 2005-07-12 at 11:40 +0200, Roberto Nibali wrote:
> Hello,
> 
> > I have created 2 filters. There is check if there is link up/down text
> > in msg field.
> 
> Ok.
> 
> > If its match then there comes N else there should be comes N.
>                                 ^^^
> I guess you mean 'Y' here, right?
> 
> > My problem is now that i syslog-ng puts double in sql-table one is Y
> > and one is N. Any suggestion what is wrong? Here comes also
> > configuration.
> 
> It looks like you have two problems: a boolean algebra one and a 
> syslog-ng configuration one ;). I really hope I'm awake enough and 
> didn't miss something ...
> 
> > source net { udp(ip("0.0.0.0") port(514)); };
> > 
> > filter f_link_downup { match(LINK-3-UPDOWN) or match(LINEPROTO-5-UPDOWN) or match(off-line) or match(on-line); };
> > filter f_others { not match(LINK-3-UPDOWN) or not match(LINEPROTO-5-UPDOWN) or not match(off-line) or not match(on-line); };
> 
> Assert:
>     A := LINK-3-UPDOWN
>     B := LINEPROTO-5-UPDOWN
>     C := off-line
>     D := on-line
> 
> Then your filters look as follows:
> 
>     f_link_downup = A + B + C + D
>     f_others      = !A + !B + !C + !D
> 
> One would assume that since you have one bit ('Y' and 'N') as the 
> outcome, that you'd want 'f_others' to be '!f_link_downup'. So this guy 
> de Morgan once brought up following nitpick:
> 
>    !f_link_downup == !A * !B * !C * !D
> 
> which is what you want for 'f_others'
> 
> Thus your filter statements should rather be (unless I didn't understand 
> your wishes):
> 
> filter f_link_downup {
>    match(LINK-3-UPDOWN) or match(LINEPROTO-5-UPDOWN) or match(off-line) 
> or match(on-line);
> };
> 
> filter f_others {
>    not match(LINK-3-UPDOWN) and not match(LINEPROTO-5-UPDOWN) and not 
> match(off-line) and not match(on-line);
> };
> 
> You might want to put '"' for the strings but it's not neccessary in 
> your case.
> 
> > log { source(net); filter(f_link_downup); destination(d_mysql_downup); };
> > log { source(net); filter(f_others); destination(d_mysql_others); };
> 
> To speed up your logging you could add a flags(final); statement into 
> your log statements.
> 
> > destination d_mysql_downup {
> >  pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg, showdata)
> >  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG', 'N' );\n")
> >  template-escape(yes));
> > };
> > 
> > destination d_mysql_others {
> >  pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg, showdata)
> >  VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG', 'Y' );\n")
> >  template-escape(yes));
> > };
> 
> HTH and best regards,
> Roberto Nibali, ratz

More information about the syslog-ng mailing list