From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Nrq46-0002Jp-IN for garchives@archives.gentoo.org; Wed, 17 Mar 2010 10:01:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A375CE08D6; Wed, 17 Mar 2010 10:00:55 +0000 (UTC) Received: from drakonix.fr (ip-212.net-89-3-91.rev.numericable.fr [89.3.91.212]) by pigeon.gentoo.org (Postfix) with ESMTP id 667A8E08D6 for ; Wed, 17 Mar 2010 10:00:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by drakonix.fr (Postfix) with ESMTP id EF605F38 for ; Wed, 17 Mar 2010 11:48:09 +0100 (CET) X-Virus-Scanned: amavisd-new at drakonix.fr Received: from drakonix.fr ([127.0.0.1]) by localhost (drakonix.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgkhFUTvQ5bv for ; Wed, 17 Mar 2010 11:48:09 +0100 (CET) Received: by drakonix.fr (Postfix, from userid 81) id 27D781280; Wed, 17 Mar 2010 11:48:09 +0100 (CET) Received: from 192.168.0.5 ([192.168.0.5]) by mail.drakonix.fr (Horde Framework) with HTTP; Wed, 17 Mar 2010 11:48:09 +0100 Message-ID: <20100317114809.15276ejrcffkv3hl@mail.drakonix.fr> X-Priority: 3 (Normal) Date: Wed, 17 Mar 2010 11:48:09 +0100 From: Fred Leon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] syslog-ng filtering References: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com> <06BE1C10-57F5-4568-9190-AC4A718F4034@wright.org> <17bd4e851003161949m69b27505ja45e07b48180135c@mail.gmail.com> In-Reply-To: <17bd4e851003161949m69b27505ja45e07b48180135c@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_7k7c29aocix"; protocol="application/pgp-signature"; micalg="pgp-sha256" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) X-Archives-Salt: dc2aec89-3179-4fe4-86b3-6ababb445442 X-Archives-Hash: 18a5f0d75a05fd7a447ba7a88b1dafb4 This message is in MIME format and has been PGP signed. --=_7k7c29aocix Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ralph Slooten a =C3=A9crit=C2=A0: > On 17 March 2010 13:00, Roy Wright wrote: >> >> I just started with the example at: >> http://en.gentoo-wiki.com/wiki/Syslog-ng >> >> HTH, >> Roy > > Thanks Roy, however they have the same syntax which isn't working on my > side. > > filter f_shorewall { not match("regex" value("Shorewall")); } > > > I just tried a single rule (to make sure it wasn't my syntax): > > filter killVmMessages { > not match("regex" value("vmware-checker")); > }; > > yet the "(root) CMD (/root/bin/vmware-checker)" messages still go through= ?! > > log { > source(src); > source(remote); > filter(myfilter); > filter(killVmMessages); > destination(d_mysql); > }; > > I'm really stumped here. All other filters (non regex) works fine though, > such as facility() & host(). > > Are you able to filter by content? > > Ralph > Perhaps you could try this which is working for me and let me filter =20 all messages coming from iptables: # firewall logging destination iptables { file("/var/log/firewall/iptables.log"); }; filter f_iptables { message("iptables"); }; log { source(s_all); filter(f_iptables); destination(iptables); }; # all messages coming from kern destination df_kern { file("/var/log/system/kern.log" ); }; filter f_kern { facility(kern) and not filter(f_iptables); }; log { source(s_all); filter(f_kern);destination(df_kern); }; Fred --=_7k7c29aocix Content-Type: application/pgp-signature Content-Description: Signature =?utf-8?b?bnVtw6lyaXF1ZQ==?= PGP Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iF4EABEIAAYFAkugs2kACgkQNQp40QftPnnmigD8C0Qn9JccIo6Ewy99xj8tp0lX QlxRaayVygUXTP+N6dcA/1ELBbSUwDW0I+AGfJcIIqj5fFMbRq5M8JsTxXtr+Suz =rhkN -----END PGP SIGNATURE----- --=_7k7c29aocix--