From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-108996-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Nrg7f-00077p-7X
	for garchives@archives.gentoo.org; Tue, 16 Mar 2010 23:24:28 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4DCB0E0AC9;
	Tue, 16 Mar 2010 23:23:00 +0000 (UTC)
Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171])
	by pigeon.gentoo.org (Postfix) with ESMTP id 1FF5BE0AC9
	for <gentoo-user@lists.gentoo.org>; Tue, 16 Mar 2010 23:23:00 +0000 (UTC)
Received: by pzk1 with SMTP id 1so355443pzk.10
        for <gentoo-user@lists.gentoo.org>; Tue, 16 Mar 2010 16:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type;
        bh=jWr3pwUWF1OClYrLn4GE15Z/eEoeJ5OjsEhwaxBYBbw=;
        b=K74Ji3HNLRKxYUs1hPuhMwUnEODARN9S7IG3QR4SICoP8kOYis42tgOiVCaKClK2zG
         AcdVE/Mj1ih6YX3tNVzYXO3qu8wnHYEQEu7B4DoCKD95wsV0gOYOOO2Q2meuwBmlaWWA
         G3poGRjLAfvO/ppaeEyAoXzcTabFLd+6uN4/A=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=hoTbv8+gtwV8duL0V6iqKC6ngvS1U406F01Ce5X+bpej6MaiLPz+LZVfCZdyJgWWto
         gtgIjaCg1QFY489eLkC1szDCG8rZZ2HXedFBpYurc52S6UUfDi5WHONx959m1Xm0WWGC
         nOW5M6LuA2RB8a6kd8G7Anp8l3NyAFhCK9r3Q=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.141.1.1 with SMTP id d1mr68185rvi.134.1268781779491; Tue, 16 
	Mar 2010 16:22:59 -0700 (PDT)
Date: Wed, 17 Mar 2010 12:22:59 +1300
Message-ID: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com>
Subject: [gentoo-user] syslog-ng filtering
From: Ralph Slooten <axllent@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary=000e0cd0ebc8439d840481f3470d
X-Archives-Salt: d6fab40b-9bd2-4146-a05c-64a78f077472
X-Archives-Hash: 52ddfdfa1de30e0283afdc228dea86b7

--000e0cd0ebc8439d840481f3470d
Content-Type: text/plain; charset=ISO-8859-1

Hi all,

Has anyone here worked out how to filter out syslog messages using syslog-ng
v3? The old syntax doesn't work (well complains bitterly about performance
and says to use regex), and no matter what I try I cannot get the new syntax
to work :-/ I have a syslog-ng server which logs to MySQL for multiple
clients in a network, however the database just keeps growing with
irrelevant data I'd prefer to just quietly ignore on the server side.

I'm trying to filter out (exclude) messages such as:
  (root) CMD (/root/bin/vmware-checker)
and
  (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

==============
filter myfilter {
        not match("regex" value("\/usr\/sbin\/run-crons"))
        and not match("regex" value("vmware-checker"));
}
log {
        source(src);
        source(remote);
        filter(myfilter);
        destination(d_mysql);
};
===============

However they just keep coming through the filter (ie: not matching the "not
match" filter). I've tried escaping the slashes, not escaping them ... even
partial words, but I obviously am missing something somewhere.

Anyone have any ideas?

Thanks in advance,
Ralph

--000e0cd0ebc8439d840481f3470d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8"><d=
iv>Hi all,</div><div><br></div>Has anyone here worked out how to filter out=
 syslog messages using=A0syslog-ng v3? The old syntax doesn&#39;t work (wel=
l complains bitterly about=A0performance and says to use regex), and no mat=
ter what I try I cannot get the new syntax to work :-/ I have a syslog-ng s=
erver which logs to MySQL for multiple clients in a network, however the da=
tabase just keeps growing with irrelevant data I&#39;d prefer to just quiet=
ly ignore on the server side.=A0<div>
<br>I&#39;m trying to filter out (exclude) messages such as:<br>=A0=A0(root=
) CMD (/root/bin/vmware-checker)<br>and<br>=A0=A0(root) CMD (test -x /usr/s=
bin/run-crons &amp;&amp; /usr/sbin/run-crons )<br><br>=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<br>filter myfilter {<br>
=A0=A0 =A0 =A0 =A0not match(&quot;regex&quot; value(&quot;\/usr\/sbin\/run-=
crons&quot;))<br>=A0=A0 =A0 =A0 =A0and not match(&quot;regex&quot; value(&q=
uot;vmware-checker&quot;));<br>}<br>log {<br>=A0=A0 =A0 =A0 =A0source(src);=
<br>=A0=A0 =A0 =A0 =A0source(remote);<br>
=A0=A0 =A0 =A0 =A0filter(myfilter);<br>=A0=A0 =A0 =A0 =A0destination(d_mysq=
l);<br>};<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div><br>Ho=
wever they just keep coming through the filter (ie: not matching the &quot;=
not match&quot; filter). I&#39;ve tried escaping the slashes, not escaping =
them ... even partial words, but I obviously am missing something somewhere=
.</div>
<div><br>Anyone have any ideas?</div><div><br></div><div>Thanks in advance,=
</div><div>Ralph</div>

--000e0cd0ebc8439d840481f3470d--