[syslog-ng] Filter Not Working (too many or's?)

[wiskbroom at hotmail.com]

Thank  you!  That was the issue!


VP
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Evan Rempel <erempel at uvic.ca>
Sent: Tuesday, June 6, 2017 9:24:14 AM
To: syslog-ng at lists.balabit.hu
Subject: Re: [syslog-ng] Filter Not Working (too many or's?)

I agree with what Attila wrote, but to answer your question the first rexpression host("*.abca.*") is invalid.
you have a "*." where you needed a ".*"

Evan


On 06/06/2017 05:07 AM, Szalai, Attila wrote:
Hi,

First of all, the content of the host() is a regular expression, so adding .* to the beginning and/or to the end of the expression adds nothing, just pain/slowness.

Second, it would help a lot if we can see the actual error message. I found no obvious mistake, but because this is not the original line, maybe something lost in the translation.

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of wiskbroom at hotmail.com<mailto:wiskbroom at hotmail.com>
Sent: Tuesday, June 06, 2017 12:59 AM
To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Filter Not Working (too many or's?)


Here is an example of what I am trying to do, these hostnames are not real; the real ones have no common pattern.



filter f_xyz         { host("*.abca.*") or host(".*abcb.*") or host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };



The filter above is for any host containing a hostname with what is contained within the .* and *.; i.e. hostabca01 will be matched by host("*.abca.*")



When I have this filter in my config, syslog fails to restart.



Eyes hurt, obvious mistake?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170606/c188a9f6/attachment.html>