[syslog-ng] Filter Not Working (too many or's?)

Fri Jun 9 04:27:13 UTC 2017

Hi,

You could use the inlist() filter. In this case the configuration is simple
and host names are listed in a separate file.

Blog about a similar use-case:
https://czanik.blogs.balabit.com/2013/09/black-cat-white-cat/
Documentation:
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.9-guides/en/syslog-ng-ose-v3.9-guide-admin/html-single/index.html#filter-inlist

Bye,

Peter Czanik (CzP) <peter.czanik at balabit.com>
Balabit / syslog-ng upstream
https://www.balabit.com/blog/author/peterczanik/
https://twitter.com/PCzanik

On Fri, Jun 9, 2017 at 3:50 AM, Jim Hendrick <james.r.hendrick at gmail.com>
wrote:

> For VP:
>
> filter f_netmask { netmask("10.80.2.0/24"); };
>
> Another tip we have used successfully is to include a separate file with
> the list of hosts / netmask filters and maintain it separately from the
> base syslog-ng.conf
>
> include "/etc/syslog-ng/filter-defs.inc";
>
> You still need to write the filters, but it makes the overall file simpler.
>
>
> Jim
>
>
>
>
> On Thu, Jun 8, 2017 at 7:57 PM, Scot <scotrn at gmail.com> wrote:
>
>> On that note is there a better way to handle a static host list for a
>> filter like VP needs?
>>
>> I'm using the same method but fully qualified host match. I need to send
>> about 20 hosts logs to  a specific destination.
>> They do not match any unique header. I cannot say all "ASA" because only
>> some need to go and not all sources are ASA or even on the same subnet.
>>
>> Seems to work ok but ugly as hell having "host or host or host or ...."
>> in a filter.
>>
>> Thanks
>>
>>
>> On Tue, Jun 6, 2017 at 10:32 AM, wiskbroom at hotmail.com <
>> wiskbroom at hotmail.com> wrote:
>>
>>> Can you provide an example?
>>>
>>>
>>> Thank you,
>>>
>>>
>>> VP
>>> ------------------------------
>>> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
>>> james.r.hendrick <james.r.hendrick at gmail.com>
>>> *Sent:* Tuesday, June 6, 2017 8:31:39 AM
>>> *To:* Syslog-ng users' and developers' mailing list
>>> *Subject:* Re: [syslog-ng] Filter Not Working (too many or's?)
>>>
>>> Not exactly what you asked but I have used netmask to simplify some
>>> filters. Although it probably won't be able to solve your problem.
>>>
>>>
>>>
>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>
>>> -------- Original message --------
>>> From: "Szalai, Attila" <Attila.Szalai at morganstanley.com>
>>> Date: 6/6/17 8:07 AM (GMT-05:00)
>>> To: Syslog-ng users' and developers' mailing list <
>>> syslog-ng at lists.balabit.hu>
>>> Subject: Re: [syslog-ng] Filter Not Working (too many or's?)
>>>
>>> Hi,
>>>
>>>
>>>
>>> First of all, the content of the host() is a regular expression, so
>>> adding .* to the beginning and/or to the end of the expression adds
>>> nothing, just pain/slowness.
>>>
>>>
>>>
>>> Second, it would help a lot if we can see the actual error message. I
>>> found no obvious mistake, but because this is not the original line, maybe
>>> something lost in the translation.
>>>
>>>
>>>
>>> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On
>>> Behalf Of *wiskbroom at hotmail.com
>>> *Sent:* Tuesday, June 06, 2017 12:59 AM
>>> *To:* syslog-ng at lists.balabit.hu
>>> *Subject:* [syslog-ng] Filter Not Working (too many or's?)
>>>
>>>
>>>
>>> Here is an example of what I am trying to do, these hostnames are not
>>> real; the real ones have no common pattern.
>>>
>>>
>>>
>>> filter f_xyz         { host("*.abca.*") or host(".*abcb.*") or
>>> host(".*abcc.*") or host(".*abcd.*") or host(".*abce.*") or
>>> host(".*abcf.*") or host(".*abcg.*") or host(".*abch.*"); };
>>>
>>>
>>>
>>> The filter above is for any host containing a hostname with what is
>>> contained within the .* and *.; i.e. hostabca01 will be matched by
>>> host("*.abca.*")
>>>
>>>
>>>
>>> When I have this filter in my config, syslog fails to restart.
>>>
>>>
>>>
>>> Eyes hurt, obvious mistake?
>>>
>>>
>>> ------------------------------
>>>
>>> NOTICE: Morgan Stanley is not acting as a municipal advisor and the
>>> opinions or views contained herein are not intended to be, and do not
>>> constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall
>>> Street Reform and Consumer Protection Act. If you have received this
>>> communication in error, please destroy all electronic and paper copies and
>>> notify the sender immediately. Mistransmission is not intended to waive
>>> confidentiality or privilege. Morgan Stanley reserves the right, to the
>>> extent permitted under applicable law, to monitor electronic
>>> communications. This message is subject to terms available at the following
>>> link: http://www.morganstanley.com/disclaimers  If you cannot access
>>> these links, please notify us by reply message and we will send the
>>> contents to you. By communicating with Morgan Stanley you consent to the
>>> foregoing and to the voice recording of conversations with personnel of
>>> Morgan Stanley.
>>>
>>>
>>> ____________________________________________________________
>>> __________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support
>>> /documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170609/8c2d8ec6/attachment-0001.html>