[syslog-ng] Filtering out messages before any other action

Péter, Kókai peter.kokai at oneidentity.com
Wed Mar 27 06:57:50 UTC 2019 

Hello,

Without the other part - where you do not expect the message to be
received, and its connection to this logpath it is kinda hard to say much.

Logpath on the same level:
log {
  filter { message("boo"); };

  flags(final);
};

log {
   flags(final);
};

In this case if the first logpath "accepts" the message ( filter matches in
this example ), the other logpath never going to see the message. Otherwise
it will.

But if you use *if* in the first logpath:

log {
  if {
  filter { message("boo"); };
  };

  flags(final);
};

It does not matter if the *filter* matches or not, as either way the
logpath "accepts" the log, so other logpath (not speaking about embedded
logapths) won't see the message.

If you use embedded logpath:


log {
  if {
  filter { message("boo"); };
  };

  log {
     #inner path
  };

  flags(final);
};

Despite the result of the previous *if* the inner logpath is going to get
the message.


Do you have a specific use case to *drop* the message via writing it into
"/dev/null" ?

--
Kokan

On Tue, Mar 26, 2019 at 2:14 PM Faine, Mark R. (MSFC-IS40)[NICS] <
mark.faine at nasa.gov> wrote:

> I have the following as the first log path in my configuration, however,
> My  understanding is that this should match any message with the text
> 'type=traffic' AND any of the listed policyid=## or a message with the text
> 'action=timeout'.  Flags(final) indicates that it should not be further
> processed by any other log path.  However, I'm still seeing messages that
> should be discarded, am I doing something wrong?
>
> log {
>   if {
>     filter { message('type=traffic') };
>     filter {
>       (
>         message('policyid=35 ')      or
>         message('policyid=37 ')      or
>         message('policyid=38 ')      or
>         message('policyid=40_D ')    or
>         message('policyid=5 ')       or
>         message('policyid=10 ')      or
>         message('policyid=12 ')      or
>         message('policyid=50 ')      or
>         message('policyid=3 ')       or
>         message('action=timeout ')
>       )
>     };
>     destination {
>       file("/dev/null");
>     };
>   };
>   flags(final);
> };
>
> Thanks,
> -Mark
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190327/baab1e9e/attachment-0001.html>

More information about the syslog-ng mailing list