Fantastic, you hit the nail right on the head! Works like a charm now.<div><br></div><div>Now I'm wondering how it is you found out that it was this way and not the other? Robert maintains the documentation for rsync which I did look at, but with 225 pages I wasn't able to find this useful piece of information. Man syslog-ng.conf does not explain it either, in fact I searched Google and found several "tutorials", none mentioning this ;-)</div>
<div><br></div><div>Maybe I'm the idiot here, however I thought that this was a common way of getting rid of unwanted crud from the syslog? </div><div><br></div><div>Also, I just read the gentoo-wiki site page again and it says :</div>
<div><br></div><div><span class="Apple-style-span" style="font-family: sans-serif; font-size: 13px; line-height: 19px; "><pre style="padding-top: 1em; padding-right: 1em; padding-bottom: 1em; padding-left: 1em; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: dashed; border-right-style: dashed; border-bottom-style: dashed; border-left-style: dashed; border-top-color: rgb(47, 111, 171); border-right-color: rgb(47, 111, 171); border-bottom-color: rgb(47, 111, 171); border-left-color: rgb(47, 111, 171); color: black; background-color: rgb(249, 249, 249); line-height: 1.1em; ">
filter f_shorewall { not match("regex" value("Shorewall")); }; # Filter everything except regex keyword Shorewall</pre></span></div><div>Surely this is the exact same mistake I made? Either that or I'm reading it wrong....</div>
<div><br></div><div><br></div><div><br></div><div><br><br><div class="gmail_quote">On 17 March 2010 23:39, Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote:<br>
> Hi all,<br>
><br>
> Has anyone here worked out how to filter out syslog messages using<br>
> syslog-ng v3? The old syntax doesn't work (well complains bitterly about<br>
> performance and says to use regex), and no matter what I try I cannot get<br>
> the new syntax to work :-/ I have a syslog-ng server which logs to MySQL<br>
> for multiple clients in a network, however the database just keeps growing<br>
> with irrelevant data I'd prefer to just quietly ignore on the server side.<br>
><br>
> I'm trying to filter out (exclude) messages such as:<br>
> (root) CMD (/root/bin/vmware-checker)<br>
> and<br>
> (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )<br>
><br>
> ==============<br>
> filter myfilter {<br>
> not match("regex" value("\/usr\/sbin\/run-crons"))<br>
> and not match("regex" value("vmware-checker"));<br>
> }<br>
<br>
</div>Hah! this caught me out too.<br>
<br>
The value of "value" cannot be anything arbitrary - syslog-ng has no clue what<br>
you mean. The value is a field name, either a pre-defined one, or something<br>
you defined using a parser. The docs are ambiguous on this, it's not clear<br>
that the supplied values are abstracts. You are truing to search for the<br>
string "regex" in a field called /usr/bin/vmware-checker.<br>
<br>
Which obviously will not work.<br>
<br>
I think you want:<br>
<br>
match("\/usr\/sbin\/run-crons" value "MESSAGE")<br>
<br>
Note that it is MESSAGE. You want the field name, not it's dereferenced value.<br>
<div><div></div><div class="h5"><br>
<br>
<br>
> log {<br>
> source(src);<br>
> source(remote);<br>
> filter(myfilter);<br>
> destination(d_mysql);<br>
> };<br>
> ===============<br>
><br>
> However they just keep coming through the filter (ie: not matching the "not<br>
> match" filter). I've tried escaping the slashes, not escaping them ... even<br>
> partial words, but I obviously am missing something somewhere.<br>
><br>
> Anyone have any ideas?<br>
><br>
> Thanks in advance,<br>
> Ralph<br>
<br>
</div></div><font color="#888888">--<br>
alan dot mckinnon at gmail dot com<br>
</font></blockquote></div><br></div>