[syslog-ng] in-list for message
Scheidler, Balázs
balazs.scheidler at balabit.com
Wed Apr 11 22:06:45 UTC 2018
I don't think in-list does partial matches now. But what you have there
would try to look up the MESSAGE value in the noise.list file and not
search DNS names in your $MESSAGE.
To do the latter, I am afraid you'd have to combine the DNS names into a
regexp and use match() or message() to search for matches.
--
Bazsi
On Wed, Apr 11, 2018 at 9:08 PM, Garbacik, Joe <Joseph.Garbacik at netapp.com>
wrote:
> Can syslog-ng parse the message field for a partial match using the
> in-list function? For instance, I am querying DNS logs and want to filter
> out common domains (i.e. Microsoft.com, Redhat.com)
>
> In my list file I just have the domains, one per line and in my config
> file, if have the following: filter f_dns_noise_oklist {
> in-list("/etc/syslog-ng/lists.d/dns_noise.list", value("MESSAGE")); };
> but it doesn’t seem to be working.
>
>
>
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180412/13cf3e5a/attachment.html>
More information about the syslog-ng
mailing list