[syslog-ng] Filter matching not working

Saqib M saqib.m at cummins.com
Thu Dec 3 00:48:18 UTC 2020 

Greetings -

I have been trying to create a very basic filter that looks up a string in the incoming log. However, it would not match any filter and would go to the default filter. I have tried both match() and message(), neither worked for me. Please let me know if you think I am missing something.

Following are the chunks from the syslog-ng.conf

source s_net {
# All syslog traffic on port 514 - this is direct from network devices.
        udp(port (514));
        network(transport("tcp") max-connections(20000) log_iw_size(100000000) ); # tags("fortigate", "cisco", "default") );
};

filter f_discreg { message("default send string")  };

log { source(s_net); filter(f_dlptracker); destination(d_dlptracker); flags(final); };

Here is the log from the test I ran.

[2020-12-02T22:00:36+0000] Incoming log entry; source='s_net#0', line='default send string'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'
[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_tanium'
[2020-12-02T22:00:46+0000] Filter rule evaluation begins; filter_rule='f_palo_alto'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match', filter_type='OR'
[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_palo_alto'
[2020-12-02T22:00:46+0000] Filter rule evaluation begins; filter_rule='f_dlptracker'
[2020-12-02T22:00:46+0000] Filter node evaluation result; filter_result='not-match'
[2020-12-02T22:00:46+0000] Filter rule evaluation result; filter_result='not-match', filter_rule='f_dlptracker'
[2020-12-02T22:00:46+0000] Outgoing message; destination='d_fallback#0', message='2020-12-02T22:00:46+00:00 172.17.236.3 default send string\x0a'

Regards,

Saqib M
Cybersecurity Co-op
Global Cybersecurity Technologies
Email: saqib.m at cummins.com<mailto:saqib.m at cummins.com>
Cummins Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20201203/7cd939ce/attachment.html>

More information about the syslog-ng mailing list