[rsyslog] Expression based filters not working?

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Oct 21 08:32:57 CEST 2008 

That's right ! is NOT part of the language. You need to use the word
"not".

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of David Gillies
> Sent: Tuesday, October 21, 2008 1:26 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Expression based filters not working?
> 
> Hi Phil,
> 
> I found that ! didn't work for me in my expression style configs. I
had
> to use 'not' instead:
> 
> if $msg contains '%ASA-' then -?DailyLogs;pixformat
> if $msg contains 'VOIPAAA' then -?DailyCDR
> if not $msg contains '%VOIPAAA' and not $msg contains '%ASA-' then
> -?DailyLogs
> 
> David Gillies
> Systems Engineer
> Digital Infrastructure Services
> Fairfax Digital
> 
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Phillip Heller
> Sent: Tuesday, 21 October 2008 4:33 AM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Expression based filters not working?
> 
> Hello,
> 
>   Running 3.19.9 with the following old style config bits:
> 
> :msg, contains, "%ASA-" -?DailyLogs;pix_format :msg, contains,
> "%VOIPAAA" -?DailyCDR :msg, !contains, "%VOIPAAA" -?DailyLogs
> 
> This works just fine, though the messages from the ASA are output to
> the
> DailyLogs template twice.  I have not seen an example how one might
use
> a logical AND with the old style config.
> 
> So, I've tried the new expression style config:
> 
> if $msg contains '%ASA-' then -?DailyLogs;pixformat if $msg contains
> 'VOIPAAA' then -?DailyCDR if $msg !contains '%VOIPAAA' and $msg
> !contains '%ASA-' then -?DailyLogs
> 
> However, this style seems to not work at all.  That is, no messages
are
> recorded to DailyLogs or DailyCDR.
> 
> Any suggestions?
> 
> Regards,
> 
>   Phil
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
> 
> The information contained in this e-mail message and any accompanying
> files is or may be confidential. If you are not the intended
recipient,
> any use, dissemination, reliance, forwarding, printing or copying of
> this e-mail or any attached files is unauthorised. This e-mail is
> subject to copyright. No part of it should be reproduced, adapted or
> communicated without the written consent of the copyright owner. If
you
> have received this e-mail in error please advise the sender
immediately
> by return e-mail or telephone and delete all copies. Fairfax does not
> guarantee the accuracy or completeness of any information contained in
> this e-mail or attached files. Internet communications are not secure,
> therefore Fairfax does not accept legal responsibility for the
contents
> of this message or attached files.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list