Here’s a snippit of working config from rsyslog 7.6.x in our environment:
if $hostname startswith_i 'sillysystem' then {
if $msg contains '192.168.22.8' then stop
else {
-?DYNsilly
stop
}
}
For your case, drop the parens (and changing from double to single quotes?? not
sure that matters???).
Jeff
On 4 Apr 2014, at 4:56p, robert s <[email protected]> wrote:
> hmmm
>
> so I used this syntax:
>
> if $fromhost=="myhost" and $rawmsg contains("192.169.100.48") then stop
>
> but im still getiing messages that contain the 192.169.100.48 in it...?
>
> would the contain need a comma afterwards?
>
> i.e
>
> contains, ?
>
> Robert
>
>
> On Fri, Apr 4, 2014 at 3:29 PM, David Lang <[email protected]> wrote:
>> On Fri, 4 Apr 2014, robert s wrote:
>>
>>> use for each situation that arises
>>>
>>> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" then stop *
>>
>>
>> the * would be a syntax error, also, I think contains is a function so I
>> believe the result would just be
>>
>> if $fromhost=="myhost" and $rawmsg contains("192.169.100.48") then stop
>>
>> If I'm wrong about the contains it would be:
>>
>>
>> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" then stop
>>
>>
>> David Lang
>>
>>
>>> the filter above would discard the message if the filter applies correct?
>>>
>>> Robert
>>>
>>>
>>> On Fri, Apr 4, 2014 at 12:03 PM, Rainer Gerhards
>>> <[email protected]> wrote:
>>>>
>>>> On Fri, Apr 4, 2014 at 5:57 PM, robert s <[email protected]> wrote:
>>>>
>>>>> so In this case would the following line work to compound the statement?
>>>>>
>>>>> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" ~
>>>>>
>>>>>
>>>> "then" is missing after the condition,but otherwise that's it. If on v7+,
>>>> I
>>>> also suggest to use "stop" instead of "~" as this is more obvious of what
>>>> it does.
>>>>
>>>> Rainer
>>>>
>>>>> Robert
>>>>>
>>>>>
>>>>> On Tue, Apr 1, 2014 at 6:46 PM, David Lang <[email protected]> wrote:
>>>>>>
>>>>>> No, you can't use the
>>>>>> :var, condition, string
>>>>>>
>>>>>> type of syntax with and/or
>>>>>>
>>>>>> you have to use the if..then type of filters.
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>> On Tue, 1 Apr 2014, robert s wrote:
>>>>>>
>>>>>>> Date: Tue, 1 Apr 2014 17:09:50 -0400
>>>>>>> From: robert s <[email protected]>
>>>>>>> Reply-To: rsyslog-users <[email protected]>
>>>>>>> To: rsyslog-users <[email protected]>
>>>>>>> Subject: [rsyslog] multiple filters
>>>>>>>
>>>>>>>
>>>>>>> Hello Guys,
>>>>>>>
>>>>>>> Hope all is well, it seems that the website revamping project is going
>>>>>>> fantastic, really like the new layout, and finding things are much
>>>>>>> easier to get to, so kudos
>>>>>>>
>>>>>>> In the documentation I have been looking for adding more statements to
>>>>>>> filters like "and "or"
>>>>>>>
>>>>>>> on the filter page there's some useful info regarding this, and I am
>>>>>>> curious with the new syntax if my example below would be correct?
>>>>>>>
>>>>>>> $msg startswith 'GenericLog' and ($msg contains '192.168.100.49' ~
>>>>>>>
>>>>>>> so I am curious if the way I written below would be the way to write
>>>>>>> it?
>>>>>>>
>>>>>>> :rawmsg, startswith, "GenericLog#" and (rawmsg, contains,
>>>>>>> "192.168.100.49") ~
>>>>>>>
>>>>>>> and the ~ still discards the message ?
>>>>>>>
>>>>>>> Thanks in advance
>>>>>>>
>>>>>>> Robert
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>> myriad
>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>
>>>>> DON'T
>>>>>>>
>>>>>>> LIKE THAT.
>>>>>>>
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>> myriad
>>>>>
>>>>> of
>>>>>>
>>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>> DON'T
>>>>>> LIKE THAT.
>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T
>>>> LIKE THAT.
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
