From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-109003-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1NrjKP-0007Cl-Eq
	for garchives@archives.gentoo.org; Wed, 17 Mar 2010 02:49:49 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4BD7CE082B;
	Wed, 17 Mar 2010 02:49:01 +0000 (UTC)
Received: from mail-pz0-f204.google.com (mail-pz0-f204.google.com [209.85.222.204])
	by pigeon.gentoo.org (Postfix) with ESMTP id 1403AE082B
	for <gentoo-user@lists.gentoo.org>; Wed, 17 Mar 2010 02:49:01 +0000 (UTC)
Received: by pzk42 with SMTP id 42so419774pzk.32
        for <gentoo-user@lists.gentoo.org>; Tue, 16 Mar 2010 19:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type;
        bh=pgc0bgvT4+j5QIs+05WFAFvZJPXOtWvbZzSv9Y6FfaM=;
        b=k/IWwWlWxXpQgTArq7IsGHP+sKSkyHerdLSZ2YFm3rCVD4nKrsqZXQ6wr9ePgIoYrZ
         wWoBdXc3UynWFdpcVp8dVidM/CDPcnVUZIXgOr63Iq77G4rspqGBi/ISTGO/fDVRpdAn
         IWRiove7oNAEj73mCmWPCUcfI8lJIwz7zzJFI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=MoK8kDhtXxFsfxs8CtPze55B5EVrQa6N0uW4H/MskmfMdRVOux3+0IVmgIuafaDvcL
         GyXi+wTcqflMPouiVzxJ6bsEBzvex9NeWW+5TdPRVi0Dt2sfB8Bda8lv1YM5fDb4zbfq
         jmki+EuH2MXM8EznRv5eFBIG9tstQaPqNLDQQ=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.141.125.5 with SMTP id c5mr258520rvn.320.1268794140555; Tue, 
	16 Mar 2010 19:49:00 -0700 (PDT)
In-Reply-To: <06BE1C10-57F5-4568-9190-AC4A718F4034@wright.org>
References: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com>
	 <06BE1C10-57F5-4568-9190-AC4A718F4034@wright.org>
Date: Wed, 17 Mar 2010 15:49:00 +1300
Message-ID: <17bd4e851003161949m69b27505ja45e07b48180135c@mail.gmail.com>
Subject: Re: [gentoo-user] syslog-ng filtering
From: Ralph Slooten <axllent@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: multipart/alternative; boundary=0003255646d20a7a470481f628c1
X-Archives-Salt: cdf39460-ec47-43ff-91d7-ba270e0bd10a
X-Archives-Hash: 74994c165374bd49e360f9d9952ab50d

--0003255646d20a7a470481f628c1
Content-Type: text/plain; charset=ISO-8859-1

On 17 March 2010 13:00, Roy Wright <roy@wright.org> wrote:
>
> I just started with the example at:
> http://en.gentoo-wiki.com/wiki/Syslog-ng
>
> HTH,
> Roy

Thanks Roy, however they have the same syntax which isn't working on my
side.

filter f_shorewall { not match("regex" value("Shorewall")); }


I just tried a single rule (to make sure it wasn't my syntax):

filter killVmMessages {
        not match("regex" value("vmware-checker"));
};

yet the "(root) CMD (/root/bin/vmware-checker)" messages still go through?!

log {
        source(src);
        source(remote);
        filter(myfilter);
        filter(killVmMessages);
        destination(d_mysql);
};

I'm really stumped here. All other filters (non regex) works fine though,
such as facility() & host().

Are you able to filter by content?

Ralph

--0003255646d20a7a470481f628c1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br>On 17 March 2010 13:00, Roy Wright &lt;<a href=3D"mailto:roy@wright.org=
">roy@wright.org</a>&gt; wrote:<br>&gt;<br>&gt; I just started with the exa=
mple at:<br>&gt; <a href=3D"http://en.gentoo-wiki.com/wiki/Syslog-ng">http:=
//en.gentoo-wiki.com/wiki/Syslog-ng</a><br>
&gt;<br>&gt; HTH,<br>&gt; Roy<br><br>Thanks Roy, however they have the same=
 syntax which isn&#39;t working on my side.<div><br></div><blockquote class=
=3D"webkit-indent-blockquote" style=3D"margin: 0 0 0 40px; border: none; pa=
dding: 0px;">
<div>filter f_shorewall { not match(&quot;regex&quot; value(&quot;Shorewall=
&quot;)); }=A0</div></blockquote><div><br>I just tried a single rule (to ma=
ke sure it wasn&#39;t my syntax):</div><div><br>filter killVmMessages {<br>
=A0=A0 =A0 =A0 =A0not match(&quot;regex&quot; value(&quot;vmware-checker&qu=
ot;));<br>};</div><div><br>yet the &quot;(root) CMD (/root/bin/vmware-check=
er)&quot; messages still go through?!=A0</div><div><br></div><div><div>log =
{</div><div>
=A0=A0 =A0 =A0 =A0source(src);</div><div>=A0=A0 =A0 =A0 =A0source(remote);<=
/div><div>=A0=A0 =A0 =A0 =A0filter(myfilter);</div><div>=A0=A0 =A0 =A0 =A0f=
ilter(killVmMessages);</div><div>=A0=A0 =A0 =A0 =A0destination(d_mysql);</d=
iv><div>};</div><div><br></div><div>I&#39;m really stumped here. All other =
filters (non regex) works fine though, such as=A0facility() &amp;=A0host().=
</div>
<div class=3D"gmail_quote"><div><br></div><div>Are you able to filter by co=
ntent?</div><div><br></div><div>Ralph</div></div></div>

--0003255646d20a7a470481f628c1--