The syslog-ng Administrator GuideDocument version: 1.0.20
|
 |
The syslog-ng Administrator GuideDocument version: 1.0.20
|
|
Filters perform log routing within syslog-ng: a message passes the filter if the filter expression is true for the particular message. If a log statement includes filters, the messages are sent to the destinations only if they pass all filters of the log path. For example, a filter can select only the messages originating from a particular host. Complex filters can be created using filter functions and logical boolean expressions.
To define a filter, add a filter statement to the syslog-ng configuration file using the following syntax:
filter <identifier> { expression; };
The expression may contain the following elements:
The functions listed in Table 9.13, “Filter functions in syslog-ng”. Some of the functions accept extended regular expressions as parameters.
Parentheses
The boolean operators and, or,
not
![[Example]](./example.png) |
Example 3.7. A simple filter statement |
|---|---|
|
The following filter statement selects the messages that contain the word
filter demo_filter { host("example") and match("deny"); };
For the filter to have effect, include it in a log statement:
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };
The
filter demo_regexp_filter { host("system.*1") and match("deny"); };
|
![[Note]](./note.png) |
Note |
|---|---|
|
When a log statement includes multiple filter statements, syslog-ng sends a
message to the destination only if all filters are true for the message. In other
words, the filters are connected with the logical
filter demo_filter1 { host("example1"); };
filter demo_filter2 { host("example2"); };
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter1); filter(demo_filter2);
destination(d1); destination(d2); };
To select the messages that come from either host
filter demo_filter { host("example1") or host("example2"); };
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };
|
In the extended regular expressions, the characters ()[].*?+^$
are used as special symbols. Therefore, these characters have to be preceded with a
backslash (\) if they are meant literally. For example, the
\$40 expression matches the $40
string. Backslashes have to be escaped as well if they are meant literally. For example,
the \\d expression matches the \d string.
By default, all regular expressions are case sensitive. To disable the case
sensitivity of the expression, start the expression with the (?i)
string.
filter demo_regexp_insensitive { host("(?i)system"); };
The level() filter can select messages corresponding
to a single importance level, or a level-range. To select messages of a specific level,
use the name of the level as a filter parameter, e.g., use the following to select
warning messages:
level(warning)
To select a range of levels, include the beginning and the ending level in the filter,
separated with two dots (..). For example, to select every
message of error or higher level, use the following filter:
level(err..emerg)
Similarly, messages sent by a range of facilities can also be selected. Note that this is only possible when using the name of the facilities. It is not possible to select ranges the numerical codes of the facilities.
facility(local0..local5)
For a complete list of the available levels and facilities, see Section 9.4, “Filter functions”.
For a complete description on the above functions, see Section 9.4, “Filter functions”.
© 2007 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com