[syslog-ng] in-list syntax

Damian Bell Damian.Bell at clarksons.com
Thu Jul 13 14:07:07 UTC 2017 

Hello,

I’ve previously had a very simple regex list configured for Cisco ASA devices to deliver email alerts on routing changes in our network, which was configured thus:-

filter f_sev1 { match("%ASA-3-622001"); };

…which works just fine. Wanting to expand this list a bit, and aware that scaling regex matching up is going to incur performance issues, I’ve thought that an “in-list” expression file might have been a better approach, and as such have configured the following:-

filter f_sev1 { in-list("/etc/syslog-ng/email-match-list.list", value("PROGRAM")); };

…where “PROGRAM” is (I believe) the applicable part of the code that matches to the Cisco "%ASA-3-622001" part of the message. The whitelist has the following entries (as an example):-

%DUAL-5-NBRCHANGE
%ASA-3-622001
%SPANTREE-5-TOPOTRAP
%SPANTREE-5-ROOTCHANGE
%ASA-5-111010

I am not getting any matches here, however. What am I missing?

Thanks very much in advance,

Damian


Damian Bell
Infrastructure Engineer | Support | H Clarkson & Co Ltd
T: +44 20 7334 5483
Email: Damian.Bell at clarksons.com<mailto:Damian.Bell at clarksons.com>
Group Email: infrastructure at clarksons.com

Clarksons Platou  TM
Commodity Quay, St. Katharine Docks | London E1W 1BF | United Kingdom
www.clarksons.com<http://www.clarksons.com>
Please consider the environment before printing this e-mail




________________________________
This message is private and confidential. If you have received it in error, you are on notice of its status. Please notify us immediately by reply email and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence.

Emails may be monitored.

Details of Clarkson group companies and their regulators (where applicable) can be found at this url: Disclosure<http://www.clarksons.com/disclosure/>
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170713/d258cb35/attachment.html>

More information about the syslog-ng mailing list