[syslog-ng] Request for help with a filter

Marlier, Ian ian.marlier at studentuniverse.com
Tue Jan 2 23:43:40 CET 2007 

Hi, all --

I'm trying to get a little bit of help getting a filter to work.  I've
looked around a little bit, but haven't found a clear indication as to
priority order and the like.

I've got a network source set up for syslog-ng, that accepts messages
from a whole bunch of different machines:
source netsrc { udp(ip("0.0.0.0") port(514)); };

All of the messages that I'm interested in come from a specific
application, which is configured to log everything on local5:
filter f_myapp { facility(local5); };

I've got a general filter set up that sends these messages to a single
log file:
destination central { file("/opt/central/central"); };
log { source(netsrc); filter(f_myapp); destination(central); };


All of the above is working fine.


Now, I have need to get rid of a couple of error messages that appear on
a single host.  BUT, I need to do this in such a way as to avoid masking
those errors if they should appear somewhere else.  So, basically, I
need to add a second filter that eliminates from consideration anything
where:
host("hostX") AND (match("ERROR 1: error 1 text") or match("ERROR 2:
error 2 text"))

I can think of a couple of different ways to do this, but I'm not
positive if either syntax will work, or if there's another that'll work
better, or what...:

First attempt:
source netsrc { udp(ip("0.0.0.0") port(514)); };
destination central { file("/opt/central/central"); };
filter f_myapp { facility(local5); };
filter f_errors1 { not host("hostX") and not (match("ERROR 1:") or
match("ERROR 2")); };
log { source(netsrc); filter(f_myapp); filter(f_errors1);
destination(central); };


Second attempt:
source netsrc { udp(ip("0.0.0.0") port(514)); };
destination central { file("/opt/central/central"); };
filter f_myapp { facility(local5); };
filter f_errors2 { host("hostX") and match("ERROR 1:") or match("ERROR
2"); };
log { source(netsrc); filter(f_myapp); not filter(f_errors1);
destination(central); };


Will either of these work as written?  What are the alternate methods
that might work better?  

(Perhaps more to the point, what am I totally messing up? :-))

Thanks!

- Ian

More information about the syslog-ng mailing list