8.4.1. Using filters

Filters perform log routing within syslog-ng: a message passes the filter if the filter expression is true for the particular message. If a log statement includes filters, the messages are sent to the destinations only if they pass all filters of the log path. For example, a filter can select only the messages originating from a particular host. Complex filters can be created using filter functions and logical boolean expressions.

To define a filter, add a filter statement to the syslog-ng configuration file using the following syntax:

filter <identifier> { <filter_type>("<filter_expression>"); };

Then use the filter in a log path, for example:

log {
    source(s1);
    filter(<identifier>);
    destination(d1); };

You can also define the filter inline. For details, see Section 5.2, Defining configuration objects inline.

Example 8.11. A simple filter statement

The following filter statement selects the messages that contain the word deny and come from the host example.

filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
log {
    source(s1);
    filter(demo_filter);
    destination(d1); };

The following example does the same, but defines the filter inline.

log {
    source(s1);
    filter { host("example") and match("deny" value("MESSAGE")) };
    destination(d1); };