[syslog-ng] Quick filter question

Lay, James james.lay at wincofoods.com
Tue Nov 8 19:21:11 CET 2011 

Hey again all.

 

So…I’m still having issue with this..not sure why.  Here’s the raw log:

 

Nov  8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 9517 17777 offset 7 S 3371425811 win 64 

 

And from my syslog-ng.conf

 

filter f_firewall {

        not (

        program ("firewall" flags(ignore-case));

        and message("192\.168\.");

        and message("169\.254\.");

        )

};

 

log {

        source(s_local);

        filter(f_dumb);

        filter(f_firewall);

        destination(d_file);

        destination(other);

};

 

Any hints as to why these aren’t matching?  Should I not be \ing the periods?  Thanks all.

 

James

 

From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 8:36 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question

 


filter f_firewall { 
        not ( 
               program("firewall" flags(ignore-case)) and 
               message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); 
                ) 
}; 


Thanks, 

Frank E. Collette IV 
Technical Services
Systems Administrator II
Trustmark National Bank
Office: 601-208-7517 
Fax: 601-208-6105 
fcollette at trustmark.com 



From:        "Lay, James" <james.lay at wincofoods.com> 
To:        <syslog-ng at lists.balabit.hu> 
Date:        11/08/2011 09:14 AM 
Subject:        [syslog-ng] Quick filter question 
Sent by:        syslog-ng-bounces at lists.balabit.hu 

________________________________




Hey all! 
  
Real quick…trying to filter OUT firewall hits that have say…169.254.  Will this do the trick? 
  
filter f_firewall { 
        not program (firewall flags(ignore-case)); 
        and not message("169\.254\.[0-9]+\.[0-9]+"); 
}; 
  
Thanks all. 
  
James______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> 
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> 
FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111108/1fdc4c9e/attachment-0001.htm

More information about the syslog-ng mailing list