[syslog-ng] Converting filtering from 2.1 to 3.0?

syslogng at feystorm.net syslogng at feystorm.net
Tue Sep 21 01:44:10 CEST 2010


Your first line should be working. Not sure why it is not.
However you can try using: not message('Audit daemon rotating log files' 
flags('ignore-case'))
Simpler and does exactly what your old config did.

Sent: Mon Sep 20 2010 17:32:13 GMT-0600 (Mountain Daylight Time)
From: Worsham, Michael <mworsham at SCIRES.COM>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?
> Okay, maybe I am not making it clear enough on what it is I am trying 
> to do...
>  
> In the older syslong-ng v2.1, this line works perfectly:
>  
> filter M_audit   { not match("Audit daemon rotating log files"); };
>  
> Under 3.0.8, none of the following are working (if added one line at a 
> time) and the daemon restarted:
>  
> filter M_audit  { not match("Audit daemon rotating log files" 
> value("MSGONLY") flags(ignore-case)); };
> filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log 
> files") flags(ignore-case)); };
> filter M_audit  { not match("Audit daemon rotating log files" 
> value(MSGONLY) flags(ignore-case)); };
> filter M_audit  { not match("Audit daemon rotating log files" 
> value(MSGONLY)); };
> filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log 
> files")); };
>  
> What I am looking to do is if any incoming data has the following 
> "Audit daemon rotating log files" message being detected, it should be 
> filtered (i.e. dropped), and then not show up in the actual message 
> log file.
>  
> For example, if I go over on the syslog-ng client and do 'logger daemon':
>       - The older v2.1 syslog-ng server drops the message. <-- This is 
> correct
>       - On the v3.0.8, the message passes through and found in 
> the data file. <-- This is incorrect
>  
> Since the above methods aren't working, I am asking here "what would 
> be the best way of going about this as it seems my original filtering 
> lines from v2.1 no longer work".
>  
> -- Michael
>  
> ------------------------------------------------------------------------
> *From:* syslog-ng-bounces at lists.balabit.hu 
> [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Alan McKinnon 
> [Alan.McKinnon at is.co.za]
> *Sent:* Monday, September 20, 2010 6:52 PM
> *To:* syslog-ng at lists.balabit.hu
> *Subject:* Re: [syslog-ng] Converting filtering from 2.1 to 3.0?
>
> Your "value" is wrong. It's a variable name, not a literal string, so 
> you use
> it like this:
>
> value(MSGONLY)
>
> or the cleaner version
>
> value(${MSGONLY})
>
> It works like a bash variable in this regard
>
>
>
> On Tuesday 21 September 2010 00:30:06 Worsham, Michael wrote:
> > Well I tried the following two lines and neither one works:
> >
> > filter M_audit  { not match("Audit daemon rotating log files"
> > value("MSGONLY") flags(ignore-case)); }; Incoming log entry; 
> line='<13>Sep
> > 20 18:26:19 drupal root: daemon' Filter rule evaluation begins;
> > filter_rule='M_audit'
> > No such value known; value='MSGONLY'
> > filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log
> > files") flags(ignore-case)); }; Incoming log entry; line='<13>Sep 20
> > 18:16:15 drupal root: daemon' Filter rule evaluation begins;
> > filter_rule='M_audit'
> > No such value known; value='Audit daemon rotating log files'
> > WTF am I doing wrong and please quit quoting URLs to look at.
> >
> > -- M
> >
> >
> > ________________________________
> > From: syslog-ng-bounces at lists.balabit.hu
> > [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Matthew Hall
> > [mhall at mhcomputing.net] Sent: Monday, September 20, 2010 6:12 PM
> > To: Syslog-ng users' and developers' mailing list
> > Subject: Re: [syslog-ng] Converting filtering from 2.1 to 3.0?
> >
> > On Mon, Sep 20, 2010 at 05:23:28PM -0400, Worsham, Michael wrote:
> > > No such value known; value='Audit daemon rotating log files'
> > > No such value known; value='last message repeated'
> > > No such value known; value='Log statistics'
> >
> > I believe this output indicates you have the incorrect information in
> > the value argument. The value argument is supposed to be used to
> > indicate which message macro should be checked for the string or regex
> > in question.
> >
> > So you probably want the value argument to be one of these:
> >
> > 
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gui
> > de-admin-en.html/reference_macros.html
> >
> > Matthew.
> >
> > The most interesting ones for your application would be the ones below.
> >
> > Consider using an output template which outputs the value in each macro,
> > so you can see which macro you should be matching for each of your
> > filter rules.
> >
> > For example, if you output messages with this template, you would see
> > the value in the MSGONLY macro. You could use a longer version of this
> > to print out all the macros and figure out which should be used for the
> > different matches you are trying to perform.
> >
> > template t_raw {
> >     template("${MSGONLY}\n");
> > };
> >
> >
> > MSG or MESSAGE
> > Description: Text contents of the log message without the program name
> > and pid. Note that this has changed in syslog-ng version 3.0; in earlier
> > versions this macro included the program name and the pid. In syslog-ng
> > 3.0, the MSG macro became equivalent with the MSGONLY macro. The program
> > name and the pid together are available in the MSGHDR macro.
> >
> > MSGHDR
> > Description: The name and the pid of the program that sent the log
> > message in PROGRAM: PID format. Includes a trailing whitespace. Note
> > that the macro returns an empty value if both the program and pid fields
> > of the message are empty.
> >
> > MSGONLY
> > Description: Message contents without the program name or pid.
> >
> > PROGRAM
> >
> > Description: The name of the program sending the message. Note that the
> > content of the $PROGRAM variable may not be completely trusted as it is
> > provided by the client program that constructed the message.
> >
> > 
> ___________________________________________________________________________
> > ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> > http://www.campin.net/syslog-ng/faq.html
> >
> >
> > ________________________________
> > CONFIDENTIALITY NOTICE: This email and any attachments are intended 
> solely
> > for the use of the named recipient(s). This email may contain 
> confidential
> > and/or proprietary information of Scientific Research Corporation. 
> If you
> > are not a named recipient, you are prohibited from reviewing, copying,
> > using, disclosing or distributing to others the information in this 
> email
> > and attachments. If you believe you have received this email in error,
> > please notify the sender immediately and permanently delete the 
> email, any
> > attachments, and all copies thereof from any drives or storage media and
> > destroy any printouts of the email or attachments.
> >
> > EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
> > technical data subject to U.S export restrictions under the 
> International
> > Traffic in Arms Regulations (ITAR) or the Export Administration
> > Regulations (EAR). Export or transfer of this technical data and/or
> > related information to any foreign person(s) or entity(ies), either 
> within
> > the U.S. or outside of the U.S., may require advance export 
> authorization
> > by the appropriate U.S. Government agency prior to export or 
> transfer. In
> > addition, technical data may not be exported or transferred to certain
> > countries or specified designated nationals identified by U.S. embargo
> > controls without prior export authorization. By accepting this email and
> > any attachments, all recipients confirm that they understand and will
> > comply with all applicable ITAR, EAR and embargo compliance 
> requirements.
>
> -- 
> Alan McKinnon
> Systems Engineer^W Technician
> Infrastructure Services
> Internet Solutions
>
> +27 11 575 7585
>
> Please note: This email and its content are subject to the disclaimer 
> as displayed at the following link 
> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. 
> Should you not have Web access, send a mail to disclaimers at is.co.za 
> and a copy will be emailed to you.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: 
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
> ------------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This email and any attachments are intended 
> solely for the use of the named recipient(s). This email may contain 
> confidential and/or proprietary information of Scientific Research 
> Corporation. If you are not a named recipient, you are prohibited from 
> reviewing, copying, using, disclosing or distributing to others the 
> information in this email and attachments. If you believe you have 
> received this email in error, please notify the sender immediately and 
> permanently delete the email, any attachments, and all copies thereof 
> from any drives or storage media and destroy any printouts of the 
> email or attachments.
>
> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain 
> technical data subject to U.S export restrictions under the 
> International Traffic in Arms Regulations (ITAR) or the Export 
> Administration Regulations (EAR). Export or transfer of this technical 
> data and/or related information to any foreign person(s) or 
> entity(ies), either within the U.S. or outside of the U.S., may 
> require advance export authorization by the appropriate U.S. 
> Government agency prior to export or transfer. In addition, technical 
> data may not be exported or transferred to certain countries or 
> specified designated nationals identified by U.S. embargo controls 
> without prior export authorization. By accepting this email and any 
> attachments, all recipients confirm that they understand and will 
> comply with all applicable ITAR, EAR and embargo compliance requirements.
> ------------------------------------------------------------------------
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100920/258637c4/attachment-0001.htm 


More information about the syslog-ng mailing list