[syslog-ng] Filter Not Working (too many or's?)

Scot scotrn at gmail.com
Thu Jun 8 23:57:04 UTC 2017


On that note is there a better way to handle a static host list for a
filter like VP needs?

I'm using the same method but fully qualified host match. I need to send
about 20 hosts logs to  a specific destination.
They do not match any unique header. I cannot say all "ASA" because only
some need to go and not all sources are ASA or even on the same subnet.

Seems to work ok but ugly as hell having "host or host or host or ...." in
a filter.

Thanks


On Tue, Jun 6, 2017 at 10:32 AM, wiskbroom at hotmail.com <
wiskbroom at hotmail.com> wrote:

> Can you provide an example?
>
>
> Thank you,
>
>
> VP
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> james.r.hendrick <james.r.hendrick at gmail.com>
> *Sent:* Tuesday, June 6, 2017 8:31:39 AM
> *To:* Syslog-ng users' and developers' mailing list
> *Subject:* Re: [syslog-ng] Filter Not Working (too many or's?)
>
> Not exactly what you asked but I have used netmask to simplify some
> filters. Although it probably won't be able to solve your problem.
>
>
>
> Sent from my Verizon, Samsung Galaxy smartphone
>
> -------- Original message --------
> From: "Szalai, Attila" <Attila.Szalai at morganstanley.com>
> Date: 6/6/17 8:07 AM (GMT-05:00)
> To: Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> Subject: Re: [syslog-ng] Filter Not Working (too many or's?)
>
> Hi,
>
>
>
> First of all, the content of the host() is a regular expression, so adding
> .* to the beginning and/or to the end of the expression adds nothing, just
> pain/slowness.
>
>
>
> Second, it would help a lot if we can see the actual error message. I
> found no obvious mistake, but because this is not the original line, maybe
> something lost in the translation.
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *wiskbroom at hotmail.com
> *Sent:* Tuesday, June 06, 2017 12:59 AM
> *To:* syslog-ng at lists.balabit.hu
> *Subject:* [syslog-ng] Filter Not Working (too many or's?)
>
>
>
> Here is an example of what I am trying to do, these hostnames are not
> real; the real ones have no common pattern.
>
>
>
> filter f_xyz         { host("*.abca.*") or host(".*abcb.*") or
> host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or
> host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };
>
>
>
> The filter above is for any host containing a hostname with what is
> contained within the .* and *.; i.e. hostabca01 will be matched by
> host("*.abca.*")
>
>
>
> When I have this filter in my config, syslog fails to restart.
>
>
>
> Eyes hurt, obvious mistake?
>
>
> ------------------------------
>
> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
> opinions or views contained herein are not intended to be, and do not
> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
> Street Reform and Consumer Protection Act. If you have received this
> communication in error, please destroy all electronic and paper copies and
> notify the sender immediately. Mistransmission is not intended to waive
> confidentiality or privilege. Morgan Stanley reserves the right, to the
> extent permitted under applicable law, to monitor electronic
> communications. This message is subject to terms available at the following
> link: http://www.morganstanley.com/disclaimers  If you cannot access
> these links, please notify us by reply message and we will send the
> contents to you. By communicating with Morgan Stanley you consent to the
> foregoing and to the voice recording of conversations with personnel of
> Morgan Stanley.
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170608/ed2498c7/attachment-0001.html>


More information about the syslog-ng mailing list