[syslog-ng] Filter Not Working (too many or's?)

Jim Hendrick james.r.hendrick at gmail.com
Fri Jun 9 01:50:11 UTC 2017 

For VP:

filter f_netmask { netmask("10.80.2.0/24"); };

Another tip we have used successfully is to include a separate file with
the list of hosts / netmask filters and maintain it separately from the
base syslog-ng.conf

include "/etc/syslog-ng/filter-defs.inc";

You still need to write the filters, but it makes the overall file simpler.


Jim




On Thu, Jun 8, 2017 at 7:57 PM, Scot <scotrn at gmail.com> wrote:

> On that note is there a better way to handle a static host list for a
> filter like VP needs?
>
> I'm using the same method but fully qualified host match. I need to send
> about 20 hosts logs to  a specific destination.
> They do not match any unique header. I cannot say all "ASA" because only
> some need to go and not all sources are ASA or even on the same subnet.
>
> Seems to work ok but ugly as hell having "host or host or host or ...." in
> a filter.
>
> Thanks
>
>
> On Tue, Jun 6, 2017 at 10:32 AM, wiskbroom at hotmail.com <
> wiskbroom at hotmail.com> wrote:
>
>> Can you provide an example?
>>
>>
>> Thank you,
>>
>>
>> VP
>> ------------------------------
>> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
>> james.r.hendrick <james.r.hendrick at gmail.com>
>> *Sent:* Tuesday, June 6, 2017 8:31:39 AM
>> *To:* Syslog-ng users' and developers' mailing list
>> *Subject:* Re: [syslog-ng] Filter Not Working (too many or's?)
>>
>> Not exactly what you asked but I have used netmask to simplify some
>> filters. Although it probably won't be able to solve your problem.
>>
>>
>>
>> Sent from my Verizon, Samsung Galaxy smartphone
>>
>> -------- Original message --------
>> From: "Szalai, Attila" <Attila.Szalai at morganstanley.com>
>> Date: 6/6/17 8:07 AM (GMT-05:00)
>> To: Syslog-ng users' and developers' mailing list <
>> syslog-ng at lists.balabit.hu>
>> Subject: Re: [syslog-ng] Filter Not Working (too many or's?)
>>
>> Hi,
>>
>>
>>
>> First of all, the content of the host() is a regular expression, so
>> adding .* to the beginning and/or to the end of the expression adds
>> nothing, just pain/slowness.
>>
>>
>>
>> Second, it would help a lot if we can see the actual error message. I
>> found no obvious mistake, but because this is not the original line, maybe
>> something lost in the translation.
>>
>>
>>
>> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
>> Of *wiskbroom at hotmail.com
>> *Sent:* Tuesday, June 06, 2017 12:59 AM
>> *To:* syslog-ng at lists.balabit.hu
>> *Subject:* [syslog-ng] Filter Not Working (too many or's?)
>>
>>
>>
>> Here is an example of what I am trying to do, these hostnames are not
>> real; the real ones have no common pattern.
>>
>>
>>
>> filter f_xyz         { host("*.abca.*") or host(".*abcb.*") or
>> host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or
>> host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };
>>
>>
>>
>> The filter above is for any host containing a hostname with what is
>> contained within the .* and *.; i.e. hostabca01 will be matched by
>> host("*.abca.*")
>>
>>
>>
>> When I have this filter in my config, syslog fails to restart.
>>
>>
>>
>> Eyes hurt, obvious mistake?
>>
>>
>> ------------------------------
>>
>> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
>> opinions or views contained herein are not intended to be, and do not
>> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
>> Street Reform and Consumer Protection Act. If you have received this
>> communication in error, please destroy all electronic and paper copies and
>> notify the sender immediately. Mistransmission is not intended to waive
>> confidentiality or privilege. Morgan Stanley reserves the right, to the
>> extent permitted under applicable law, to monitor electronic
>> communications. This message is subject to terms available at the following
>> link: http://www.morganstanley.com/disclaimers  If you cannot access
>> these links, please notify us by reply message and we will send the
>> contents to you. By communicating with Morgan Stanley you consent to the
>> foregoing and to the voice recording of conversations with personnel of
>> Morgan Stanley.
>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170608/bcaf2b13/attachment.html>

More information about the syslog-ng mailing list