[syslog-ng] [Bug 93] New: filter() functionality between 2.1 to 3.0 not consistent

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue Sep 21 16:16:57 CEST 2010 

https://bugzilla.balabit.com/show_bug.cgi?id=93

           Summary: filter() functionality between 2.1 to 3.0 not consistent
           Product: syslog-ng
           Version: 3.0.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: mworsham at scires.com
Type of the Report: bug
   Estimated Hours: 0.0


In the older syslong-ng v2.1, this line works perfectly:

filter M_audit   { not match("Audit daemon rotating log files"); };

Under 3.0.8, none of the following are working (if added one line at a time) and the daemon restarted:

filter M_audit  { not match("Audit daemon rotating log files" value("MSGONLY") flags(ignore-case)); };
filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log files") flags(ignore-case)); };
filter M_audit  { not match("Audit daemon rotating log files" value(MSGONLY) flags(ignore-case)); };
filter M_audit  { not match("Audit daemon rotating log files" value(MSGONLY)); };
filter M_audit  { not match("MSGONLY" value("Audit daemon rotating log files")); };

What I am looking to do is if any incoming data has the following keywords (i.e. "Audit daemon rotating log files") being detected, it should be filtered (i.e.
dropped), and then not show up in the actual message log file. 

For example, if I go over on the syslog-ng client and do 'logger daemon': 
      - The older v2.1 syslog-ng server detects the embedded keyword and drops the message. <-- This is correct
      - On the v3.0.8, the message passes through and found in the data file. <-- This is incorrect

Attempted to use the following URLs to correct the formatting, but it still not working:
- http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/configuring_filters.html
- http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_macros.html


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list