[syslog-ng] Quick filter question

Patrick H. syslogng at feystorm.net
Tue Nov 8 19:40:24 CET 2011


I'm not sure if semicolons are valid in filter rules, but technically 
valid or not, they shouldnt be there so try removing them.
The filter should look like

filter f_firewall {

         not (

         program ("firewall" flags(ignore-case))

         and message("192\.168\.")

         and message("169\.254\.")

         );

};

Note though, that filter will only trigger if both 192.168. and 169.254. 
are in the same log entry. Unless that IP address you masked out with 
"x"s is 169.254 it wont trigger.



Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST)
From: Lay, James <james.lay at wincofoods.com>
To: Syslog-ng users' and developers' mailing list 
<syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Quick filter question
>
> Hey again all.
>
> So...I'm still having issue with this..not sure why.  Here's the raw log:
>
> Nov  8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15 
> 9517 17777 offset 7 S 3371425811 win 64
>
> And from my syslog-ng.conf
>
> filter f_firewall {
>
>         not (
>
>         program ("firewall" flags(ignore-case));
>
>         and message("192\.168\.");
>
>         and message("169\.254\.");
>
>         )
>
> };
>
> log {
>
>         source(s_local);
>
>         filter(f_dumb);
>
>         filter(f_firewall);
>
>         destination(d_file);
>
>         destination(other);
>
> };
>
> Any hints as to why these aren't matching?  Should I not be \ing the 
> periods?  Thanks all.
>
> James
>
> *From:*syslog-ng-bounces at lists.balabit.hu 
> [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *Frank Collette
> *Sent:* Tuesday, November 08, 2011 8:36 AM
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] Quick filter question
>
>
> filter f_firewall {
>         not (
>                program("firewall" flags(ignore-case)) and
>                message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE"));
>                 )
> };
>
>
> Thanks,
>
> Frank E. Collette IV
> Technical Services
> Systems Administrator II
> Trustmark National Bank
> Office: 601-208-7517
> Fax: 601-208-6105
> fcollette at trustmark.com <mailto:fcollette at trustmark.com>
>
>
>
> From: "Lay, James" <james.lay at wincofoods.com 
> <mailto:james.lay at wincofoods.com>>
> To: <syslog-ng at lists.balabit.hu <mailto:syslog-ng at lists.balabit.hu>>
> Date: 11/08/2011 09:14 AM
> Subject: [syslog-ng] Quick filter question
> Sent by: syslog-ng-bounces at lists.balabit.hu 
> <mailto:syslog-ng-bounces at lists.balabit.hu>
>
> ------------------------------------------------------------------------
>
>
>
>
> Hey all!
>
> Real quick...trying to filter OUT firewall hits that have 
> say...169.254.  Will this do the trick?
>
> filter f_firewall {
>         not program (firewall flags(ignore-case));
>         and not message("169\.254\.[0-9]+\.[0-9]+");
> };
>
> Thanks all.
>
> James______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: 
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111108/bc10d2c8/attachment.htm 


More information about the syslog-ng mailing list