[syslog-ng] Re: Request for help with a filter
G.W. Haywood
ged at jubileegroup.co.uk
Wed Jan 3 09:42:52 CET 2007
Hi there,
On Wed, 3 Jan 2007 Marlier, Ian wrote:
> ... need to get rid of a couple of error messages that appear on
> a single host [snip] [and only those messages, defined as]
> host("hostX") AND (match("ERROR 1: error 1 text") or match("ERROR 2: error 2 text"))
> [snip]
>
> filter f_errors1 { not host("hostX") and not (match("ERROR 1:") or match("ERROR 2")); };
I think you need:
not ( host("hostX") and ( match("ERROR 1:") or match("ERROR 2:") ) )
> filter f_errors2 { host("hostX") and match("ERROR 1:") or match("ERROR 2"); };
> ... not filter(f_errors1) ...
This is also incorrect. You need
f_errors2 { host("hostX") and (match("ERROR 1:") or match("ERROR 2")); };
and
... not filter(f_errors2) ...
which I assume was just a typo. You really have to be careful with
this stuff, it can bring your server down if you get it wrong.
> (Perhaps more to the point, what am I totally messing up? :-))
Your logic. You need to read about the precedence of operators.
Have a look at deMorgan's theorem too. But your ideas are sound. :)
--
73,
Ged.
More information about the syslog-ng
mailing list