Forum Discussion

neeeewbie's avatar
Nov 12, 2021
Solved

How to configrue syslog include "space"

Hi guys 

 

I need your help !!! 

 

 

 

I have to configure syslog filter but space area does not enter the configuration

 

ex) and not match (aaa) >>> it is possible 

 

    and not match (a a) >>>>> it is not possible

 

 

 

I guess it is relate to space area 

 

so, how to configure include "space" ?

 

 

 

thank you

  • Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

    sys syslog {
        include "
    filter f_local0 {
       facility(local0) and not message(\"abc abc\");
    };
    filter f_local0_custom {
       facility(local0) and message(\"abc abc\");
    };
    destination d_customlog {
       file(\"/var/log/customlog\" create_dirs(yes));
    };
    log {
       source(local);
       filter(f_local0_custom);
       destination(d_customlog);
    };
    "
    }

    Then I slapped this iRule on a test virtual and hit it from my desktop:

    when HTTP_REQUEST {
      log local0. "abc abc"
      log local0. "abc123 abc123"
      HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
    }

    And here are my logs:

    [root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
    Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
    Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
    [root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
    Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
    Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc

5 Replies

  • Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

    sys syslog {
        include "
    filter f_local0 {
       facility(local0) and not message(\"abc abc\");
    };
    filter f_local0_custom {
       facility(local0) and message(\"abc abc\");
    };
    destination d_customlog {
       file(\"/var/log/customlog\" create_dirs(yes));
    };
    log {
       source(local);
       filter(f_local0_custom);
       destination(d_customlog);
    };
    "
    }

    Then I slapped this iRule on a test virtual and hit it from my desktop:

    when HTTP_REQUEST {
      log local0. "abc abc"
      log local0. "abc123 abc123"
      HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
    }

    And here are my logs:

    [root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
    Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
    Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
    [root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
    Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
    Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc