Mailing List Archive

Hi Phil,

I found that ! didn't work for me in my expression style configs. I had
to use 'not' instead:

if $msg contains '%ASA-' then -?DailyLogs;pixformat
if $msg contains 'VOIPAAA' then -?DailyCDR
if not $msg contains '%VOIPAAA' and not $msg contains '%ASA-' then
-?DailyLogs

David Gillies
Systems Engineer
Digital Infrastructure Services
Fairfax Digital

-----Original Message-----
From: rsyslog-bounces@lists.adiscon.com
[mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of Phillip Heller
Sent: Tuesday, 21 October 2008 4:33 AM
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] Expression based filters not working?

Hello,

Running 3.19.9 with the following old style config bits:

:msg, contains, "%ASA-" -?DailyLogs;pix_format :msg, contains,
"%VOIPAAA" -?DailyCDR :msg, !contains, "%VOIPAAA" -?DailyLogs

This works just fine, though the messages from the ASA are output to the
DailyLogs template twice. I have not seen an example how one might use
a logical AND with the old style config.

So, I've tried the new expression style config:

if $msg contains '%ASA-' then -?DailyLogs;pixformat if $msg contains
'VOIPAAA' then -?DailyCDR if $msg !contains '%VOIPAAA' and $msg
!contains '%ASA-' then -?DailyLogs

However, this style seems to not work at all. That is, no messages are
recorded to DailyLogs or DailyCDR.

Any suggestions?

Regards,

Phil
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

That's right ! is NOT part of the language. You need to use the word
"not".

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of David Gillies
> Sent: Tuesday, October 21, 2008 1:26 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Expression based filters not working?
>
> Hi Phil,
>
> I found that ! didn't work for me in my expression style configs. I
had
> to use 'not' instead:
>
> if $msg contains '%ASA-' then -?DailyLogs;pixformat
> if $msg contains 'VOIPAAA' then -?DailyCDR
> if not $msg contains '%VOIPAAA' and not $msg contains '%ASA-' then
> -?DailyLogs
>
> David Gillies
> Systems Engineer
> Digital Infrastructure Services
> Fairfax Digital
>
> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com
> [mailto:rsyslog-bounces@lists.adiscon.com] On Behalf Of Phillip Heller
> Sent: Tuesday, 21 October 2008 4:33 AM
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] Expression based filters not working?
>
> Hello,
>
> Running 3.19.9 with the following old style config bits:
>
> :msg, contains, "%ASA-" -?DailyLogs;pix_format :msg, contains,
> "%VOIPAAA" -?DailyCDR :msg, !contains, "%VOIPAAA" -?DailyLogs
>
> This works just fine, though the messages from the ASA are output to
> the
> DailyLogs template twice. I have not seen an example how one might
use
> a logical AND with the old style config.
>
> So, I've tried the new expression style config:
>
> if $msg contains '%ASA-' then -?DailyLogs;pixformat if $msg contains
> 'VOIPAAA' then -?DailyCDR if $msg !contains '%VOIPAAA' and $msg
> !contains '%ASA-' then -?DailyLogs
>
> However, this style seems to not work at all. That is, no messages
are
> recorded to DailyLogs or DailyCDR.
>
> Any suggestions?
>
> Regards,
>
> Phil
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
> The information contained in this e-mail message and any accompanying
> files is or may be confidential. If you are not the intended
recipient,
> any use, dissemination, reliance, forwarding, printing or copying of
> this e-mail or any attached files is unauthorised. This e-mail is
> subject to copyright. No part of it should be reproduced, adapted or
> communicated without the written consent of the copyright owner. If
you
> have received this e-mail in error please advise the sender
immediately
> by return e-mail or telephone and delete all copies. Fairfax does not
> guarantee the accuracy or completeness of any information contained in
> this e-mail or attached files. Internet communications are not secure,
> therefore Fairfax does not accept legal responsibility for the
contents
> of this message or attached files.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com