[syslog-ng] match text within message

Antonio Brown abrown5 at gmail.com
Mon Oct 3 14:53:22 CEST 2005


Below are a couple of message samples:

"Message: %PIX-51-100908: Teardown UDP connection 30292827 for THEFORCEVPN:
123.45.678.91/3130 to inside:987.65.4.3/53 duration.......etc.."

"Message: %PIX-51-070605: Teardown UDP connection 26252423 for ISSTRONGVPN:
111.21.314.15/3130 to inside:987.65.4.4/53
<http://210.65.4.4/53>duration.......etc.."

I am trying to match 987.65.4.3 or 987.65.4.3/53 and
987.65.4.4<http://210.65.4.4>.
Here is my syntax:

filter f_pix { match(PIX) and not match("987.65.4.3") and not match("
987.65.4.4 <http://210.65.4.4>"); };

Any suggestions?

Thank You for your assistance!

>match() matches the message part only, which does not include the
>hostname part in the message header. If you actually copied a sample
>message it would be easier to help out, and you have a much better
>chance to receive messages on the syslog-ng mailing list. Lots of
>helpful folks there, I'm sometimes unable to respond for days. :)
>
>--
> Bazsi

>> Hello!
>>
>> I am trying to filter an IP by using match in the syslog-ng.conf file.
>> Below (in bold) is a portion of the thread that sort of describes my
problem.
>> However the IP address that I am attempting to match is not the sender.
>>
>>It is actually located within the message.
>>
>> I am using the following syntax:
>>
>> filter f_pix { match(PIX) and not match("xxx\.xx\.x\.x"); };
>>
>> Did not work. I've attempted many other variations and still no go.
>>
>>
>> again the address that I am attempting to match is not the sender. It is
located
>> within the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20051003/e471dafc/attachment.htm


More information about the syslog-ng mailing list