From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-109021-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Nrqib-0006hI-FW
	for garchives@archives.gentoo.org; Wed, 17 Mar 2010 10:43:18 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 08805E0BE2;
	Wed, 17 Mar 2010 10:42:50 +0000 (UTC)
Received: from ey-out-1920.google.com (ey-out-1920.google.com [74.125.78.146])
	by pigeon.gentoo.org (Postfix) with ESMTP id BE74EE0BE2
	for <gentoo-user@lists.gentoo.org>; Wed, 17 Mar 2010 10:42:49 +0000 (UTC)
Received: by ey-out-1920.google.com with SMTP id 13so51171eye.2
        for <gentoo-user@lists.gentoo.org>; Wed, 17 Mar 2010 03:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:from:to:subject:date
         :user-agent:cc:references:in-reply-to:mime-version:content-type
         :content-transfer-encoding:message-id;
        bh=C7OOv6LeDutkbt1dam/Z/IZi6B+JvXDEdq8KJ0hTvTM=;
        b=N7TUFtryEiMxOQbzQqh6Nk651g9K0BndARAGvRmLEk67FJwCOb6ui26MU1dG4rNW9L
         pC7siDaXzC0VJh9I9E47ERUUHtP0tNVXATqeA8gmTtkDZY/uhM01kRQYS82kXOSsRLAX
         eoLG4Wx4VAKsXv/UbXaJnN9zVnWFXqMKt0xXo=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=from:to:subject:date:user-agent:cc:references:in-reply-to
         :mime-version:content-type:content-transfer-encoding:message-id;
        b=UEKW5heZ9Rrxksq/aJRT0KzQaaoFQgdTSGlVD5sw2QmMCh5w6aM6Lt7f0jJzdyYlgP
         VqiIrANvcP5SII3ZwoufOr4OnE6Uat7h9VEZ7vv5vcWxaVgGdMRhiymPGQk8Lm1TRYfF
         9djxxVKiLa0xTX5mlBg6Um4LRh4f2yQTAFeiU=
Received: by 10.213.52.17 with SMTP id f17mr566027ebg.56.1268822569193;
        Wed, 17 Mar 2010 03:42:49 -0700 (PDT)
Received: from nazgul.localnet ([196.31.150.8])
        by mx.google.com with ESMTPS id 14sm3953289ewy.10.2010.03.17.03.42.44
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 17 Mar 2010 03:42:47 -0700 (PDT)
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] syslog-ng filtering
Date: Wed, 17 Mar 2010 12:39:47 +0200
User-Agent: KMail/1.13.1 (Linux/2.6.32-zen6; KDE/4.4.1; x86_64; ; )
Cc: Ralph Slooten <axllent@gmail.com>
References: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com>
In-Reply-To: <17bd4e851003161622x21b7e78chc228017250c7ff0f@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201003171239.47431.alan.mckinnon@gmail.com>
X-Archives-Salt: b6128e62-6b1d-49cf-8227-fbb92db97201
X-Archives-Hash: 099f508f72bfdbbb6294deeb90efd72c

On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote:
> Hi all,
> 
> Has anyone here worked out how to filter out syslog messages using
> syslog-ng v3? The old syntax doesn't work (well complains bitterly about
> performance and says to use regex), and no matter what I try I cannot get
> the new syntax to work :-/ I have a syslog-ng server which logs to MySQL
> for multiple clients in a network, however the database just keeps growing
> with irrelevant data I'd prefer to just quietly ignore on the server side.
> 
> I'm trying to filter out (exclude) messages such as:
>   (root) CMD (/root/bin/vmware-checker)
> and
>   (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
> 
> ==============
> filter myfilter {
>         not match("regex" value("\/usr\/sbin\/run-crons"))
>         and not match("regex" value("vmware-checker"));
> }

Hah! this caught me out too.

The value of "value" cannot be anything arbitrary - syslog-ng has no clue what 
you mean. The value is a field name, either a pre-defined one, or something 
you defined using a parser. The docs are ambiguous on this, it's not clear 
that the supplied values are abstracts. You are truing to search for the 
string "regex" in a field called /usr/bin/vmware-checker.

Which obviously will not work.

I think you want:

match("\/usr\/sbin\/run-crons" value "MESSAGE")

Note that it is MESSAGE. You want the field name, not it's dereferenced value.



> log {
>         source(src);
>         source(remote);
>         filter(myfilter);
>         destination(d_mysql);
> };
> ===============
> 
> However they just keep coming through the filter (ie: not matching the "not
> match" filter). I've tried escaping the slashes, not escaping them ... even
> partial words, but I obviously am missing something somewhere.
> 
> Anyone have any ideas?
> 
> Thanks in advance,
> Ralph

-- 
alan dot mckinnon at gmail dot com