[syslog-ng] Filtre empty program

concatenate infosec at gmail.com
Thu Aug 28 19:10:14 CEST 2008


On Thu, Aug 28, 2008 at 8:17 AM, G R <ng.syslogng at gmail.com> wrote:

> Hi!
>
> I'm trying to filter some logs that have no program field.
> kind of "logger -t '' " logs.
>
> I've try to use
> program("");
> or
> program(NULL);
> as filter but none of them works.
>
> How can I filter this empty program field logs ?
>

I would look for some other attributes of the messages. If you can't add the
program field, and nothing else about the messages are unique, you might be
in trouble.

As a last resort I've made particular hosts or types of devices (UNIX vs.
network devices) send to different ports or IPs on the syslog box, then my
source has an entirely different subset of messages. Perhaps that is an
option.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080828/6cd9190f/attachment.htm 


More information about the syslog-ng mailing list