[syslog-ng] Dropping specific messages from Syslog-NG

Bell, Christopher E. cbel0003 at shands.ufl.edu
Fri Apr 5 13:46:53 UTC 2019 

Thanks for the advice!  I will fix the incorrect Boolean usage and add some quotes to my match statement.  

Chris Bell
Network Engineer
352-273-9186 (w) 
ext 39186

-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien Wernli
Sent: Friday, April 5, 2019 8:59 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Dropping specific messages from Syslog-NG

CAUTION! This email came from outside UF or UF Health. Exercise extra caution clicking links and opening attachments from any and all senders.
________________________________



Hi,

It seems your setup incorrectly parses the "syslog" messages.
The latest syslog-ng versiosn have improved Cisco parsing code, so I suggest you try those first.

In any case, I can see two problems with your filter:

> filter f_trash { match(SNMP-3-RESPONSE_DELAYED value(MSGHDR)); and
>
> match(NTP Receive dropping message value(MSG))};

1. it matches only messages with both "SNMP" and "NTP" strings, which is not what you seem to want.

2. "SNMP" seems to be in the MSG macro instead, although I can't be sure

3. use quotes in the match() argument

Cheers

______________________________________________________________________________
Member info: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.balabit.hu%2fmailman%2flistinfo%2fsyslog%2dng&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-668cd55c1c0efe97a6b3bf6b93b9cde008eeec8f
Documentation: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fsupport%2fdocumentation%2f%3fproduct%3dsyslog%2dng&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-6f420cb59d9d4d6e9a00458f72bed51b0e4955f8
FAQ: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fwiki%2fsyslog%2dng%2dfaq&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-60d9687726ac563a31782a9c903f542c8ffb86a3

More information about the syslog-ng mailing list