[prev in list] [next in list] [prev in thread] [next in thread]
List: syslog-ng
Subject: Re: [syslog-ng] Regex and Syslog-ng
From: "Fegan, Joe" <Joe.Fegan () hp ! com>
Date: 2009-04-16 17:44:52
Message-ID: 0E6222894DE49B40A3A9FD929C630BCB53F3789FED () GVW1121EXC ! americas ! hpqcorp ! net
[Download RAW message or body]
You don't need the filter f_autres.
Use flags(final) in the first two log() statements, which means "if you tak=
e this path do not evaluate any subsequent ones". That way, only messages t=
hat do not match the first two log() statements will ever reach the third l=
og() statement. In the third log() statement you should have no filter beca=
use you want to log everything that got this far.
Joe.
________________________________
From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.ba=
labit.hu] On Behalf Of Julien Vermet
Sent: 16 April 2009 17:01
To: syslog-ng@lists.balabit.hu
Subject: [syslog-ng] Regex and Syslog-ng
Hello
I have a problem with syslog-ng using match() in my filters. Here is the pa=
rt of my syslog-ng.cong:
"
######
# sources
# all known message sources
source s_all {
file("/etc/syslog-ng/logtest" follow_freq(1));
};
######
# destinations
destination d_apache {
file("/etc/syslog-ng/logapache");
};
destination d_system {
file("/etc/syslog-ng/logsystem");
};
destination d_autres {
file("/etc/syslog-ng/logautres");
};
######
# filters
filter f_apache {
match(apache);
};
filter f_system {
match(system);
};
filter f_autres {
match((?!apache));
};
######
# logs
log {
source(s_all);
filter(f_apache);
destination(d_apache);
};
log {
source(s_all);
filter(f_system);
destination(d_system);
};
log {
source(s_all);
filter(f_autres);
destination(d_autres);
"
As you can see, I want to search in lines if the string apache is present, =
if system is present or if apache is not present. The first two filters ar=
e OK, but the third doesn't work. Can you help me to solve the problem?
Thanks.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>You don't need the filter
f_autres.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>Use flags(final) in the first two log() statements, which
means "if you take this path do not evaluate any subsequent ones".
</FONT></SPAN><SPAN class=503313617-16042009><FONT face=Arial color=#0000ff
size=2>That way, only messages that do not match the first two log()
statements will ever reach the third log() statement. </FONT></SPAN><SPAN
class=503313617-16042009><FONT face=Arial color=#0000ff size=2>In the third
log() statement you should have no filter because you want to log
everything that got this far.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2>Joe.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=503313617-16042009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<B>On Behalf Of </B>Julien Vermet<BR><B>Sent:</B> 16 April 2009
17:01<BR><B>To:</B> syslog-ng@lists.balabit.hu<BR><B>Subject:</B> [syslog-ng]
Regex and Syslog-ng<BR></FONT><BR></DIV>
<DIV></DIV>Hello<BR><BR>I have a problem with syslog-ng using match() in my
filters. Here is the part of my syslog-ng.cong:<BR><BR>"<BR>######<BR>#
sources<BR><BR># all known message sources<BR>source s_all
{<BR> file("/etc/syslog-ng/logtest"
follow_freq(1));<BR>};<BR><BR><BR>######<BR># destinations<BR><BR>destination
d_apache {<BR>file("/etc/syslog-ng/logapache");<BR>};<BR><BR>destination
d_system {<BR>file("/etc/syslog-ng/logsystem");<BR>};<BR><BR>destination
d_autres {<BR>file("/etc/syslog-ng/logautres");<BR>};<BR><BR>######<BR>#
filters<BR><BR>filter f_apache {<BR>match(apache);<BR>};<BR><BR>filter f_system
{<BR>match(system);<BR>};<BR><BR>filter f_autres
{<BR>match((?!apache));<BR>};<BR><BR><BR>######<BR># logs<BR><BR>log
{<BR>source(s_all);<BR>filter(f_apache);<BR>destination(d_apache);<BR>};<BR><BR>log
{<BR>source(s_all);<BR>filter(f_system);<BR>destination(d_system);<BR>};<BR><BR>log
{<BR>source(s_all);<BR>filter(f_autres);<BR>destination(d_autres);<BR>"<BR><BR>As
you can see, I want to search in lines if the string apache is present, if
system is present or if apache is not present. The first two filters are
OK, but the third doesn't work. Can you help me to solve the
problem?<BR><BR>Thanks.<BR></BODY></HTML>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
--===============1080675983==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic