[syslog-ng] Converting filtering from 2.1 to 3.0?

Alan McKinnon Alan.McKinnon at is.co.za
Tue Sep 21 00:52:17 CEST 2010


Your "value" is wrong. It's a variable name, not a literal string, so you use 
it like this:

value(MSGONLY) 

or the cleaner version

value(${MSGONLY})

It works like a bash variable in this regard



On Tuesday 21 September 2010 00:30:06 Worsham, Michael wrote:
> Well I tried the following two lines and neither one works:
> 
> filter M_audit  { not match("Audit daemon rotating log files"
> value("MSGONLY") flags(ignore-case)); }; Incoming log entry; line='<13>Sep
> 20 18:26:19 drupal root: daemon' Filter rule evaluation begins;
> filter_rule='M_audit'
> No such value known; value='MSGONLY'
> filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log
> files") flags(ignore-case)); }; Incoming log entry; line='<13>Sep 20
> 18:16:15 drupal root: daemon' Filter rule evaluation begins;
> filter_rule='M_audit'
> No such value known; value='Audit daemon rotating log files'
> WTF am I doing wrong and please quit quoting URLs to look at.
> 
> -- M
> 
> 
> ________________________________
> From: syslog-ng-bounces at lists.balabit.hu
> [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Matthew Hall
> [mhall at mhcomputing.net] Sent: Monday, September 20, 2010 6:12 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?
> 
> On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:
> > No such value known; value='Audit daemon rotating log files'
> > No such value known; value='last message repeated'
> > No such value known; value='Log statistics'
> 
> I believe this output indicates you have the incorrect information in
> the value argument. The value argument is supposed to be used to
> indicate which message macro should be checked for the string or regex
> in question.
> 
> So you probably want the value argument to be one of these:
> 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gui
> de-admin-en.html/reference_macros.html
> 
> Matthew.
> 
> The most interesting ones for your application would be the ones below.
> 
> Consider using an output template which outputs the value in each macro,
> so you can see which macro you should be matching for each of your
> filter rules.
> 
> For example, if you output messages with this template, you would see
> the value in the MSGONLY macro. You could use a longer version of this
> to print out all the macros and figure out which should be used for the
> different matches you are trying to perform.
> 
> template t_raw {
>     template("${MSGONLY}\n");
> };
> 
> 
> MSG or MESSAGE
> Description: Text contents of the log message without the program name
> and pid. Note that this has changed in syslog-ng version 3.0; in earlier
> versions this macro included the program name and the pid. In syslog-ng
> 3.0, the MSG macro became equivalent with the MSGONLY macro. The program
> name and the pid together are available in the MSGHDR macro.
> 
> MSGHDR
> Description: The name and the pid of the program that sent the log
> message in PROGRAM: PID format. Includes a trailing whitespace. Note
> that the macro returns an empty value if both the program and pid fields
> of the message are empty.
> 
> MSGONLY
> Description: Message contents without the program name or pid.
> 
> PROGRAM
> 
> Description: The name of the program sending the message. Note that the
> content of the $PROGRAM variable may not be completely trusted as it is
> provided by the client program that constructed the message.
> 
> ___________________________________________________________________________
> ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> http://www.campin.net/syslog-ng/faq.html
> 
> 
> ________________________________
> CONFIDENTIALITY NOTICE: This email and any attachments are intended solely
> for the use of the named recipient(s). This email may contain confidential
> and/or proprietary information of Scientific Research Corporation. If you
> are not a named recipient, you are prohibited from reviewing, copying,
> using, disclosing or distributing to others the information in this email
> and attachments. If you believe you have received this email in error,
> please notify the sender immediately and permanently delete the email, any
> attachments, and all copies thereof from any drives or storage media and
> destroy any printouts of the email or attachments.
> 
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
> technical data subject to U.S export restrictions under the International
> Traffic in Arms Regulations (ITAR) or the Export Administration
> Regulations (EAR). Export or transfer of this technical data and/or
> related information to any foreign person(s) or entity(ies), either within
> the U.S. or outside of the U.S., may require advance export authorization
> by the appropriate U.S. Government agency prior to export or transfer. In
> addition, technical data may not be exported or transferred to certain
> countries or specified designated nationals identified by U.S. embargo
> controls without prior export authorization. By accepting this email and
> any attachments, all recipients confirm that they understand and will
> comply with all applicable ITAR, EAR and embargo compliance requirements.

-- 
Alan McKinnon
Systems Engineer^W Technician
Infrastructure Services
Internet Solutions

+27 11 575 7585

Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you.


More information about the syslog-ng mailing list