[syslog-ng] filter help

[Greg Rodenhiser]

I have several remote servers that are logging via regular syslog to my
central syslog-ng server. This is working fine. Now, I have several distinct
messages from different servers that I want to filter to a single log file
(without having anything else in this file). I have tried setting it up but
I'm having problems...

1.) I have made six filter lines in syslog-ng.conf that contain the
host/message combination I want to put in my special log. I have named these
six filters the same name (f_interest). I then have a log line that contains
the name of the filer (the filter name is used for six filter declarations),
and the destination for the file I want to log to. My problem/question is,
How does syslog-ng handle multiple filters that have the same name? Each of
these 6 filters contain a host and word match I want to have interpreted. My
problem is nothing is getting logged to my log. Does syslog-ng somehow
combine these 6 filters because they have the same name? I want each one to
be interpreted separately from the others with the same name. I only named
them the same to prevent having to make 6 different log directives to the
same file.

2.) How do I do a multiple not match. For instance I want to log messages
from serverA that do NOT contain the text, message1, or message2, or
message3, but log everything else from serverA. Right now I do...

filter f_interest { not match("(message1|message2|message3)") and
host(serverA); };

Does that look right?


Thanks in advance!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20051027/d4e4eb22/attachment.htm