3.6. Filters
Filters perform log routing within syslog-NG: a message passes the filter if the filter expression is true for the specified message. if a log statement between des filters, the messages are sent to the destinations only if they pass all filters of the Log Path. for example, a filter can select only the messages originating from a participant host. complex filters can be created using filter functions and logical boolean expressions.
# Note: filters are used to implement routing in syslog-NG: If a message matches a filter rule, this filter is allowed.
# Filters are defined externally in log statements, not in log statements.
# If a log statement contains the filters definition, the message can be sent to destination only after it matches "all filters". Note! Is "all filters", not "a filter"
# For example, you can use a filter to select messages only from a specific host.
# Complex filters can use filter functions and boolean expressions
To define a filter, add a filter statement to the syslog-ng configuration file using the following syntax:
# Note: To define a filter, use the filter keyword. A name is also required for the filter.
filter { expression; };
The expression may contain in the following elements:
# Note: The expression part can be the following three types
#-) 1. Functions
#-) 2. Superior
#-) 3. Boolean expression
The functions listed in Table 8.13, "filter functions in syslog-ng"
. Some of the functions accept extended regular expressions as parameters.
Parentheses
The boolean operatorsand
,or
,not
Example 3.7. A simple filter statement
The following filter statement selects the messages that contain the worddeny
And come from the hostexample
.
# Note: for example, a filter is defined below, which filters messages containing the "deny" string and from the example host.
# Where "and" is a boolean operator
filter demo_filter { host("example") and match("deny"); };
For the filter to have effect, include it in a log statement:
# Note: to make the filter take effect, you must first define it externally and then reference it in the log statement.
# For example, in the following log subscription, if messages from the S1 and S2 source match the demo_filter rule (containing the deny string and from the example host)
# Always send to the "d1" and "D2" destinations.
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };
Thehost()
,match()
, Andprogram()
Filter functions accept regular expressions as parameters.
# Note: host (), match (), and program () are filter functions, which can accept Regexp.
filter demo_regexp_filter { host("system.*1") and match("deny"); };
Note
When a log statement between des multiple filter statements, syslog-ng sends a message to the destination only if all filters are true for the message. In other words, the filters are connected with the logicalAND
Operator. In the following example, no message arrives to the destination, because the filters are exclusive (the hostname of a client cannot beexample1
Andexample2
At the same time ):
# Note: When a log statement contains multiple filter statements, the message will be sent to destination only when the message matches all the filters. That is to say, the filters are connected by the and relationship.
# In the following example, no message is sent to destination, because each filter is mutually exclusive, and the Rule message must come from both example1 and example2 hosts, which is impossible.
filter demo_filter1 { host("example1"); };
filter demo_filter2 { host("example2"); };
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter1); filter(demo_filter2);
destination(d1); destination(d2); };
To select the messages that come from either hostexample1
Orexample2
, Use a single filter expression:
# Note: To represent the or relationship, you only need to use one filter, and then connect multiple items with or.
filter demo_filter { host("example1") or host("example2"); };
log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };
In the extended regular expressions, the characters()[].*?+^$
Are used as special symbols. Therefore, these characters have to be preceded with a backslash (/
) If they are meant literally. For example,/$40
Expression matches$40
String. backslashes have to be escaped as well if they are meant literally. For example,//d
Expression matches/d
String.
# Note: Since the filter can use Regexp, such as (), [], *, and? , +, ^, And $ are all special characters. If you want to match them, you must use/to escape them.
# For example, to match a message containing a string of $40, use/$40
By default, all regular expressions are case sensitive. to disable the case sensititive of the expression, start the expression with(?i)
String.
# Note: by default, all Regexp statements are case sensitive. To disable this function, add '(? I) 'string
filter demo_regexp_insensitive { host("(?i)system"); };
Note
In regular expressions, the asterisk (*
) Character means 0, 1 or any number of the previous expression. For example, inf*ilter
Expression the asterisk means 0 or more f letters. This expression matches for the following strings:ilter
,filter
,ffilter
, Etc. To achieve the wildcard functionality commonly represented by the asterisk character in other applications, use.*
In your expressions, e.g .,f.*ilter
.
Thelevel()
Filter can select messages corresponding to a single importance level, or a level-range. to select messages of a specific level, use the name of the level as a filter parameter, e.g ., use the following to select warning messages:
# Note: The level () filter function can be used to filter data based on serveirty. You can specify multiple severity or a range. For example, only messages whose serverity is warning are filtered out below.
level(warning)
To select a range of levels, include the beginning and the ending level in the filter, separated with Two dots (..
). For example, to select every message of error or higher level, use the following filter:
# Note: to indicate the range, use the format of.... For example, the following filters all messages from err to emerg.
# Supplement: This filtering is actually performed based on the internal numbers of these severity.
level(err..emerg)
Similarly, messages sent by a range of facilities can also be selected. note that this is only possible when using the name of the facilities. it is not possible to select ranges the numerical codes of the facilities.
# Note: there is also a facility filter function that can be used to filter out specific faiclity. It also supports range filtering.
# It is also filtered based on the internal number of facility.
facility(local0..local5)
For a complete list of the available levels and facilities, see Section 8.4, "filter functions"
.
For a complete description on the above functions, see Section 8.4, "filter functions"
.
Syslog-ng series serialization-24: Filter