[syslog-ng] Quick filter question
Lay, James
james.lay at wincofoods.com
Tue Nov 8 17:09:38 CET 2011
LoL…good call…thanks again J
James
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 9:01 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question
I believe it does, but I use it just in case :)
Thanks, Frank
From: "Lay, James" <james.lay at wincofoods.com>
To: "Syslog-ng users' and developers' mailing list" <syslog-ng at lists.balabit.hu>
Date: 11/08/2011 09:48 AM
Subject: Re: [syslog-ng] Quick filter question
Sent by: syslog-ng-bounces at lists.balabit.hu
________________________________
Hi Frank,
Thanks for the quick response…my last little bit is, I was under the impression that the message() directive automatically assumed the value was already in the message only, and value() wasn’t required? Am I off on this? Thanks again.
James
From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu <mailto:syslog-ng-bounces at lists.balabit.hu> ] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 8:36 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question
filter f_firewall {
not (
program("firewall" flags(ignore-case)) and
message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));
)
};
Thanks,
Frank E. Collette IV
Technical Services
Systems Administrator II
Trustmark National Bank
Office: 601-208-7517
Fax: 601-208-6105
fcollette at trustmark.com <mailto:fcollette at trustmark.com>
From: "Lay, James" <james.lay at wincofoods.com <mailto:james.lay at wincofoods.com> >
To: <syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu> >
Date: 11/08/2011 09:14 AM
Subject: [syslog-ng] Quick filter question
Sent by: syslog-ng-bounces at lists.balabit.hu <mailto:syslog-ng-bounces at lists.balabit.hu>
________________________________
Hey all!
Real quick…trying to filter OUT firewall hits that have say…169.254. Will this do the trick?
filter f_firewall {
not program (firewall flags(ignore-case));
and not message("169\.254\.[0-9]+\.[0-9]+");
};
Thanks all.
James______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng>
FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111108/4a32a11c/attachment.htm
More information about the syslog-ng
mailing list