Hi Markus, unfortunately I do not have time at the moment to go through this at full length. But a couple of points below:
> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Markus Stegmueller > Sent: Monday, October 04, 2010 12:52 PM > To: [email protected] > Subject: [rsyslog] Outgoing Mails Logfile - Ported from Syslog-ng > > Hello, > > I am trying to convert my syslog-ng Filter to a working rsyslog Filter > Configuration. Here is my > syslog-ng Filter: > > destination d_antispam { file("/var/log/mail_antispam"); }; > > filter f_antispam { facility(mail) and not match("[email protected]") > and not > match("localhost.example.de") and not match("[email protected]") and not > match("maildummy@") and not > match("nob...@example") and not match("spamdrop") and not > match("NOQUEUE") and not match("reject:") > and ((match("to=<") and match("status=sent") and not > match("relay=procmail") and not > match("relay=/var/lib/imap/socket/lmtp") and not match("relay=local") > and not > match("relay=10.0.50.2")) or match("from=<.*example\.de>")); }; > > log { source(src); filter(f_antispam); destination(d_antispam); }; > > This Filter is to get all the mails, that were send from example.de > users, so I can re-use them to > make a whitelist. I don't know syslog-ng syntax, but guess I got an idea of what you do. > > > I tried to make an expression Based Filter: > > if $syslogfacility-text == 'mail' and not $msg contains > '[email protected]' and not $msg contains > 'localhost.example.de' and not $msg contains '[email protected]' and not > $msg contains 'maildummy@' > and not $msg contains 'nob...@example' and not $msg contains 'spamdrop' > and not $msg contains > 'NOQUEUE' and not $msg contains 'reject:' and ( $msg contains 'to=<' > and $msg contains 'status=sent' > and not $msg contains 'relay=procmail' and not $msg contains > 'relay=/var/lib/imap/socket/lmtp' and > not $msg contains 'relay=local' and not $msg contains 'relay=10.0.50.2' > ) or $msg contains > 'from=<.*example.de>' then /var/log/mail_antispam This sounds basically correct. Is it all on one line? if not, you need to add "\" at the end of each line, an artifact of the current config system. like this: if $syslogfacility-text == 'mail' and not $msg contains \ '[email protected]' and not $msg contains \ 'localhost.example.de' and not $msg contains '[email protected]' and not \ ... If that does not solve the issue, please reduce the logic until it works. Then we can check what the culprit is. Also make sure you do not get any errors while reading the config file. Finally, a look at rsyslog's debug log may help. > And also a property based: > > :msg, contains, "to=<" ~ > :msg, contains, "status=sent" ~ > :msg, regex, "from=<*example\.de>" ~ > :msg, !contains, "localhost.example.de" ~ > :msg, !contains, "[email protected]" ~ > :msg, !contains, "maildummy@" ~ > :msg, !contains, "[email protected]" ~ > :msg, !contains, "spamdrop" ~ > :msg, !contains, "NOQUEUE" ~ > :msg, !contains, "reject:" ~ > :msg, !contains, "relay=procmail" ~ > :msg, !contains, "relay=/var/lib/imap/socket/lmtp" ~ > :msg, !contains, "relay=local" ~ > :msg, !contains, "relay=10.0.50.2" ~ > mail.* -/var/log/mail_antispam > > > At the Property based Filters - I do not understand how to make an AND > or an OR... and at the > expression based one, Because that's not possible. For boolean filters, you need to use the if-type of filter. HTH Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
