[syslog-ng] Quick filter question

Lay, James james.lay at wincofoods.com
Tue Nov 8 21:41:30 CET 2011


Excellent...thanks so much Patrick.  This is working nicely.  At some
point in time I may want to add in the firewalls "Deny" statement, but
for now this will work.  Thanks again.

 

James

 

From: Patrick H. [mailto:syslogng at feystorm.net] 
Sent: Tuesday, November 08, 2011 11:57 AM
To: Lay, James
Cc: Syslog-ng users' and developers' mailing list
Subject: [Spam] Re: [syslog-ng] Quick filter question
Importance: Low

 

That might work, but what the order of operations is on boolean
operations (and/or) is, is unclear. In situations like that its always
best to explicitly force the order yourself.

filter f_firewall {
        not (
            program ("firewall" flags(ignore-case))
            and (
                message("192\.168\.")
                or message("169\.254\.")
            )
        );
};



Sent: Tue Nov 08 2011 11:46:35 GMT-0700 (MST)
From: Lay, James <james.lay at wincofoods.com>
<mailto:james.lay at wincofoods.com> 
To: Patrick H. <syslogng at feystorm.net> <mailto:syslogng at feystorm.net> ,
Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu> <mailto:syslog-ng at lists.balabit.hu>  
Subject: Re: [syslog-ng] Quick filter question 

Ah...so I need or then yes?
 
filter f_firewall {
        not (
        program ("firewall" flags(ignore-case))
        and message("192\.168\.")
        or message("169\.254\.")
        );
};
 
How's that look?
 
James
 
P.S. And thank you :)
 
James
 
From: Patrick H. [mailto:syslogng at feystorm.net] 
Sent: Tuesday, November 08, 2011 11:40 AM
To: Syslog-ng users' and developers' mailing list
Cc: Lay, James
Subject: Re: [syslog-ng] Quick filter question
 
I'm not sure if semicolons are valid in filter rules, but technically
valid or not, they shouldnt be there so try removing them.
The filter should look like
filter f_firewall {
        not (
        program ("firewall" flags(ignore-case))
        and message("192\.168\.")
        and message("169\.254\.")
        );
};
 
Note though, that filter will only trigger if both 192.168. and 169.254.
are in the same log entry. Unless that IP address you masked out with
"x"s is 169.254 it wont trigger.
 
 
 
Sent: Tue Nov 08 2011 11:21:11 GMT-0700 (MST)
From: Lay, James <james.lay at wincofoods.com>
<mailto:james.lay at wincofoods.com> 
To: Syslog-ng users' and developers' mailing list
<syslog-ng at lists.balabit.hu> <mailto:syslog-ng at lists.balabit.hu>  
Subject: Re: [syslog-ng] Quick filter question 
Hey again all.
 
So...I'm still having issue with this..not sure why.  Here's the raw
log:
 
Nov  8 11:13:38 x.x.x.x firewall: Deny tcp 20 125 x.x.x.x 192.168.0.15
9517 17777 offset 7 S 3371425811 win 64 
 
And from my syslog-ng.conf
 
filter f_firewall {
        not (
        program ("firewall" flags(ignore-case));
        and message("192\.168\.");
        and message("169\.254\.");
        )
};
 
log {
        source(s_local);
        filter(f_dumb);
        filter(f_firewall);
        destination(d_file);
        destination(other);
};
 
Any hints as to why these aren't matching?  Should I not be \ing the
periods?  Thanks all.
 
James
 
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Frank Collette
Sent: Tuesday, November 08, 2011 8:36 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Quick filter question
 
 
filter f_firewall { 
        not ( 
               program("firewall" flags(ignore-case)) and 
               message("169\.254\.[0-9]+\.[0-9]+" value("MESSAGE")); 
                ) 
}; 
 
 
Thanks, 
 
Frank E. Collette IV 
Technical Services
Systems Administrator II
Trustmark National Bank
Office: 601-208-7517 
Fax: 601-208-6105 
fcollette at trustmark.com 
 
 
 
From:        "Lay, James" <james.lay at wincofoods.com>
<mailto:james.lay at wincofoods.com>  
To:        <syslog-ng at lists.balabit.hu>
<mailto:syslog-ng at lists.balabit.hu>  
Date:        11/08/2011 09:14 AM 
Subject:        [syslog-ng] Quick filter question 
Sent by:        syslog-ng-bounces at lists.balabit.hu 
________________________________________
 
 
 
Hey all! 
  
Real quick...trying to filter OUT firewall hits that have say...169.254.
Will this do the trick? 
  
filter f_firewall { 
        not program (firewall flags(ignore-case)); 
        and not message("169\.254\.[0-9]+\.[0-9]+"); 
}; 
  
Thanks all. 
  
James___________________________________________________________________
___________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
 
 
 
 
 
________________________________________________________________________
______
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20111108/edcd3705/attachment-0001.htm 


More information about the syslog-ng mailing list