The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
 |
The syslog-ng 3.0 Administrator GuideDocument version: Thirteenth
|
|
The following functions may be used in the filter statement, as described in Section 3.6, “Filters”.
| Name | Synopsis | Description |
|---|---|---|
| facility() | facility(facility[,facility]) | Match messages having one of the listed facility code. An alternate syntax permits the use an arbitrary facility codes. |
| facility() | facility(<numeric facility code>) | An alternate syntax for facility permitting
the use of an arbitrary facility code. Facility codes 0-23 are
predefined and can be referenced by their usual name. Facility codes
above 24 are not defined but can be used by this alternate syntax.
|
| filter() | filter(filtername) | Call another filter rule and evaluate its value. |
| host() | host(regexp) | Match messages by using a regular expression against the hostname field of log messages. |
| level() or priority() | level(pri[,pri1..pri2[,pri3]]) | Match messages based on priority. |
| match() | match(regexp) | Match a regular expression to the headers and the message itself
(i.e., the values returned by the MSGHDR and
MSG macros). Note that in syslog-ng version
2.1 and earlier, the match() filter was applied
only to the text of the message, excluding the headers. This
functionality has been moved to the message()
filter. To limit the scope of the match to a specific part of the
message (identified with a macro), use the match(regexp
value("MACRO")) syntax. Do not include the $ sign in the
parameter of the value() option. |
| message() | message(regexp) | Match a regular expression to the text of the log message, excluding
the headers (i.e., the value returned by the MSG
macros). Note that in syslog-ng version 2.1 and earlier, this
functionality was performed by the match()
filter. |
| netmask() | netmask(ip/mask) | Select only messages sent by a host whose IP address belongs to the
specified IP subnet. Note that this filter checks the IP address of the
last-hop relay (the host that actually sent the message to syslog-ng),
not the contents of the HOST field of the
message. |
| program() | program(regexp) | Match messages by using a regular expression against the program name field of log messages. |
| source() | string | Select messages of a source statement. This filter can be used in embedded log statements if the parent statement contains multiple source groups — only messages originating from the selected source group are sent to the destination of the embedded log statement. |
Table 8.17. Filter functions in syslog-ng
The host(), match(), and
program() filter functions accept regular expressions as
parameters. The exact type of the regular expression to use can be specified with the
type() option. The following expression types are available:
| Name | Description |
|---|---|
| posix | Use POSIX regular expressions. If the type()
parameter is not specified, syslog-ng uses POSIX regular expressions by
default. For additional details on the use and flags of regular
expressions, see Section 8.8, “Regular expressions”. |
| pcre | Use PCRE regular expressions. This is available only if syslog-ng was
compiled with the --enable-pcre option. Execute
the syslog-ng -V command to list the options
supported by your binary. PCRE support is currently disabled in syslog-ng Premium Edition. For additional details on the use and flags of
regular expressions, see Section 8.8, “Regular expressions”. |
| string | Match the strings literally, without regular expression support. By
default, only identical strings are matched. For partial matches, use
the flags("prefix") or the
flags("substring") flags. |
Table 8.18. Filter match types
The level() filter accepts the following levels:
emerg, alert,
crit, err, warning,
notice, info,
debug.
The facility() filter accepts both the name and the numerical
code of the facility or the importance level. The syslog-ng application recognizes the
following facilities: (Note that some of these facilities are available only on specific
platforms.)
| Numerical Code | Facility name | Facility |
|---|---|---|
| 0 | kern | kernel messages |
| 1 | user | user-level messages |
| 2 | mail system | |
| 3 | daemon | system daemons |
| 4 | auth | security/authorization messages |
| 5 | syslog | messages generated internally by syslogd |
| 6 | lpr | line printer subsystem |
| 7 | news | network news subsystem |
| 8 | uucp | UUCP subsystem |
| 9 | cron | clock daemon |
| 10 | auth | security/authorization messages |
| 11 | ftp | FTP daemon |
| 12 | NTP subsystem | |
| 13 | log audit | |
| 14 | log alert | |
| 15 | cron | clock daemon |
| 16-23 | local0..local7 | locally used facilities (local0-local7) |
Table 8.19. syslog Message Facilities recognized by the facility() filter
© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com