[syslog-ng] Not able to match on a field in syslog messages from a DataPower Appliance
Salowitz, Adam (AS.)
asalowi1 at ford.com
Thu Jul 17 20:32:09 CEST 2008
> Correct me if I'm wrong but [:digit:] isn't exactly what you're after.
> Use [[:digit:]] instead.
Yes, looking closer at the syntax I believe you are absolutely right. Sorry
for the oversight. I believe a actually want to use + for one or more:
[[:digit:]+]
filter group_syncDPextest {
host("DP[[:digit:]+]Syslog")
or host("DPRASSyslogAudit[[:digit:]+]")
or host("DP")
;};
But that begs the question because I am still not getting anything when I
use "host(DP)." Its like even though the Local Identifier is in the
hostname field it is not being matched against as the hostname. Does the
hostname filter come from this field in the message or from the packet
itself?
If this field cannot be matched against, that is fine. I will just have to
work a little more to get my filters right based on the actual log message
content, but I told the IBM support people I would give it the old college
try. It would be much easier for me to filter based on the Local ID but,
oh well. Thanks again.
adam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7206 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080717/233896a6/attachment.bin
More information about the syslog-ng
mailing list