From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
by finch.gentoo.org with esmtp (Exim 4.60)
(envelope-from <gentoo-user+bounces-108996-garchives=archives.gentoo.org@lists.gentoo.org>)
id 1Nrg7f-00077p-7X
for garchives@archives.gentoo.org; Tue, 16 Mar 2010 23:24:28 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 4DCB0E0AC9;
Tue, 16 Mar 2010 23:23:00 +0000 (UTC)
Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171])
by pigeon.gentoo.org (Postfix) with ESMTP id 1FF5BE0AC9
for <gentoo-user@lists.gentoo.org>; Tue, 16 Mar 2010 23:23:00 +0000 (UTC)
Received: by pzk1 with SMTP id 1so355443pzk.10
for <gentoo-user@lists.gentoo.org>; Tue, 16 Mar 2010 16:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type;
bh=jWr3pwUWF1OClYrLn4GE15Z/eEoeJ5OjsEhwaxBYBbw=;
b=K74Ji3HNLRKxYUs1hPuhMwUnEODARN9S7IG3QR4SICoP8kOYis42tgOiVCaKClK2zG
AcdVE/Mj1ih6YX3tNVzYXO3qu8wnHYEQEu7B4DoCKD95wsV0gOYOOO2Q2meuwBmlaWWA
G3poGRjLAfvO/ppaeEyAoXzcTabFLd+6uN4/A=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=hoTbv8+gtwV8duL0V6iqKC6ngvS1U406F01Ce5X+bpej6MaiLPz+LZVfCZdyJgWWto
gtgIjaCg1QFY489eLkC1szDCG8rZZ2HXedFBpYurc52S6UUfDi5WHONx959m1Xm0WWGC
nOW5M6LuA2RB8a6kd8G7Anp8l3NyAFhCK9r3Q=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.141.1.1 with SMTP id d1mr68185rvi.134.1268781779491; Tue, 16
Mar 2010 16:22:59 -0700 (PDT)
Date: Wed, 17 Mar 2010 12:22:59 +1300
Message-ID: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com>
Subject: [gentoo-user] syslog-ng filtering
From: Ralph Slooten <axllent@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary=000e0cd0ebc8439d840481f3470d
X-Archives-Salt: d6fab40b-9bd2-4146-a05c-64a78f077472
X-Archives-Hash: 52ddfdfa1de30e0283afdc228dea86b7
--000e0cd0ebc8439d840481f3470d
Content-Type: text/plain; charset=ISO-8859-1
Hi all,
Has anyone here worked out how to filter out syslog messages using syslog-ng
v3? The old syntax doesn't work (well complains bitterly about performance
and says to use regex), and no matter what I try I cannot get the new syntax
to work :-/ I have a syslog-ng server which logs to MySQL for multiple
clients in a network, however the database just keeps growing with
irrelevant data I'd prefer to just quietly ignore on the server side.
I'm trying to filter out (exclude) messages such as:
(root) CMD (/root/bin/vmware-checker)
and
(root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
==============
filter myfilter {
not match("regex" value("\/usr\/sbin\/run-crons"))
and not match("regex" value("vmware-checker"));
}
log {
source(src);
source(remote);
filter(myfilter);
destination(d_mysql);
};
===============
However they just keep coming through the filter (ie: not matching the "not
match" filter). I've tried escaping the slashes, not escaping them ... even
partial words, but I obviously am missing something somewhere.
Anyone have any ideas?
Thanks in advance,
Ralph
--000e0cd0ebc8439d840481f3470d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8"><d=
iv>Hi all,</div><div><br></div>Has anyone here worked out how to filter out=
syslog messages using=A0syslog-ng v3? The old syntax doesn't work (wel=
l complains bitterly about=A0performance and says to use regex), and no mat=
ter what I try I cannot get the new syntax to work :-/ I have a syslog-ng s=
erver which logs to MySQL for multiple clients in a network, however the da=
tabase just keeps growing with irrelevant data I'd prefer to just quiet=
ly ignore on the server side.=A0<div>
<br>I'm trying to filter out (exclude) messages such as:<br>=A0=A0(root=
) CMD (/root/bin/vmware-checker)<br>and<br>=A0=A0(root) CMD (test -x /usr/s=
bin/run-crons && /usr/sbin/run-crons )<br><br>=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<br>filter myfilter {<br>
=A0=A0 =A0 =A0 =A0not match("regex" value("\/usr\/sbin\/run-=
crons"))<br>=A0=A0 =A0 =A0 =A0and not match("regex" value(&q=
uot;vmware-checker"));<br>}<br>log {<br>=A0=A0 =A0 =A0 =A0source(src);=
<br>=A0=A0 =A0 =A0 =A0source(remote);<br>
=A0=A0 =A0 =A0 =A0filter(myfilter);<br>=A0=A0 =A0 =A0 =A0destination(d_mysq=
l);<br>};<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</div><div><br>Ho=
wever they just keep coming through the filter (ie: not matching the "=
not match" filter). I've tried escaping the slashes, not escaping =
them ... even partial words, but I obviously am missing something somewhere=
.</div>
<div><br>Anyone have any ideas?</div><div><br></div><div>Thanks in advance,=
</div><div>Ralph</div>
--000e0cd0ebc8439d840481f3470d--