[syslog-ng] in-list filter with MESSAGE

Kókai Péter peter.kokai at balabit.com
Wed Oct 4 05:53:22 UTC 2017 

Hello,

The *in-list* should work the same way for both *program* and *message*.

It is a little hard to help without the rest of the *relevant*
configuration. Therefore I created my dummy config and tested with it.

$ cat /tmp/message-filter.txt
:)
$ cat /tmp/in-list.conf
filter f_smile { in-list("/tmp/message-filter.txt", value("MESSAGE")); };
source s_stdin { file("/dev/stdin" flags(no-parse)); };
destination d_stdout { file("/dev/stdout"); };

log { source(s_stdin); filter(f_smile); destination(d_stdout); };

$ syslog-ng -f /tmp/in-list.conf
syslog-ng: Error setting capabilities, capability management disabled;
error='Operation not permitted'
[2017-10-04T07:41:31.341435] WARNING: Configuration file has no version
number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the
beginning of the file to indicate this explicitly;
...
:(
:)
Oct  4 07:41:50 peterkokai-work/peterkokai-work :)
doomed to fail :)
[EOF]

This must be an exact match, which is why it seems a little fishy that you
want to match *MESSAGE* macro :)

--
Kokan

On Tue, Oct 3, 2017 at 10:10 PM Gopi Joshi <gkjoshi at gmail.com> wrote:

> I am trying to filter messages matching text stored in a txt file (plain
> txt , exact match , one word each line). but its not working
>
> filter f_userlist { in-list("/etc/syslog-ng/userlist.list", value("MESSAGE")); };    ---> NOT WORKING
>
> however it works with value(“PROGRAM”)
>
> filter f_whitelist { in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };  --->WORKING
>
> List ( userlist.list ) is not long and has less than 10 words to match.
>  anything missing ? or in-list filter doenot work with message contents .
> any troubleshooting tips will e helpful.
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171004/474e3896/attachment.html>

More information about the syslog-ng mailing list