Mailing List Archive

Filters for not equal to a list of hostIP's
Hi There,
I'm trying to stop messages from certain hosts from being forwarded from my syslog server but the filters seem to be stopping all forwarding rather than just from the IP's I want.

This was the original filter I used:

if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip contains '10.x.x.x','10.x.x.x','10.x.x.x') then {
action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )

I also tried this:
if ($fromhost-ip != "127.0.0.1" or $fromhost-ip != "10.x.x.x" or $fromhost-ip != '"10.x.x.x" or $fromhost-ip != "10.x.x.x") then {
action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )

I've tried with single quotes and double quotes around the IP addresses but it made no difference. Any suggestions on this?

Cheers
Brian
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Filters for not equal to a list of hostIP's [ In reply to ]
try
if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip == ['10.x.x.x','10.x.x.x','10.x.x.x']) then {

David Lang

On Wed, 6 Apr 2022, Brian Robertson via rsyslog wrote:

> Date: Wed, 6 Apr 2022 17:57:38 +1200 (NZST)
> From: Brian Robertson via rsyslog <rsyslog@lists.adiscon.com>
> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
> Cc: Brian Robertson <brian-robertson@xtra.co.nz>
> Subject: [rsyslog] Filters for not equal to a list of hostIP's
>
> Hi There,
> I'm trying to stop messages from certain hosts from being forwarded from my syslog server but the filters seem to be stopping all forwarding rather than just from the IP's I want.
>
> This was the original filter I used:
>
> if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip contains '10.x.x.x','10.x.x.x','10.x.x.x') then {
> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
>
> I also tried this:
> if ($fromhost-ip != "127.0.0.1" or $fromhost-ip != "10.x.x.x" or $fromhost-ip != '"10.x.x.x" or $fromhost-ip != "10.x.x.x") then {
> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
>
> I've tried with single quotes and double quotes around the IP addresses but it made no difference. Any suggestions on this?
>
> Cheers
> Brian
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Filters for not equal to a list of hostIP's [ In reply to ]
Thanks David.
Unfortunately that didn't work, we are running rsyslog version 8.24.0.
Do we need spaces between the IP's in the array list?
i.e. and not ($fromhost-ip == ['10.x.x.x', '10.x.x.x', '10.x.x.x'])

Thanks
Brian

> On 06/04/2022 20:42 David Lang <david@lang.hm> wrote:
>
>
> try
> if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip == ['10.x.x.x','10.x.x.x','10.x.x.x']) then {
>
> David Lang
>
> On Wed, 6 Apr 2022, Brian Robertson via rsyslog wrote:
>
> > Date: Wed, 6 Apr 2022 17:57:38 +1200 (NZST)
> > From: Brian Robertson via rsyslog <rsyslog@lists.adiscon.com>
> > To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
> > Cc: Brian Robertson <brian-robertson@xtra.co.nz>
> > Subject: [rsyslog] Filters for not equal to a list of hostIP's
> >
> > Hi There,
> > I'm trying to stop messages from certain hosts from being forwarded from my syslog server but the filters seem to be stopping all forwarding rather than just from the IP's I want.
> >
> > This was the original filter I used:
> >
> > if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip contains '10.x.x.x','10.x.x.x','10.x.x.x') then {
> > action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
> >
> > I also tried this:
> > if ($fromhost-ip != "127.0.0.1" or $fromhost-ip != "10.x.x.x" or $fromhost-ip != '"10.x.x.x" or $fromhost-ip != "10.x.x.x") then {
> > action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
> >
> > I've tried with single quotes and double quotes around the IP addresses but it made no difference. Any suggestions on this?
> >
> > Cheers
> > Brian
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Filters for not equal to a list of hostIP's [ In reply to ]
8,24 is 5+ years old (with some unknown amount of backports by RedHat), so if
you want to use that version, you will need to contact them for support. I
thought the array match was older than that, but with such an old version it's
not worth the hassle of digging it up.

I would strongly recommend upgrading to a new version that the community can
support.

David Lang

On Thu, 7 Apr 2022, Brian Robertson
wrote:

> Date: Thu, 7 Apr 2022 11:45:00 +1200 (NZST)
> From: Brian Robertson <brian-robertson@xtra.co.nz>
> To: David Lang <david@lang.hm>,
> Brian Robertson via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Filters for not equal to a list of hostIP's
>
> Thanks David.
> Unfortunately that didn't work, we are running rsyslog version 8.24.0.
> Do we need spaces between the IP's in the array list?
> i.e. and not ($fromhost-ip == ['10.x.x.x', '10.x.x.x', '10.x.x.x'])
>
> Thanks
> Brian
>
>> On 06/04/2022 20:42 David Lang <david@lang.hm> wrote:
>>
>>
>> try
>> if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip == ['10.x.x.x','10.x.x.x','10.x.x.x']) then {
>>
>> David Lang
>>
>> On Wed, 6 Apr 2022, Brian Robertson via rsyslog wrote:
>>
>>> Date: Wed, 6 Apr 2022 17:57:38 +1200 (NZST)
>>> From: Brian Robertson via rsyslog <rsyslog@lists.adiscon.com>
>>> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
>>> Cc: Brian Robertson <brian-robertson@xtra.co.nz>
>>> Subject: [rsyslog] Filters for not equal to a list of hostIP's
>>>
>>> Hi There,
>>> I'm trying to stop messages from certain hosts from being forwarded from my syslog server but the filters seem to be stopping all forwarding rather than just from the IP's I want.
>>>
>>> This was the original filter I used:
>>>
>>> if $fromhost-ip != "127.0.0.1" and not ($fromhost-ip contains '10.x.x.x','10.x.x.x','10.x.x.x') then {
>>> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
>>>
>>> I also tried this:
>>> if ($fromhost-ip != "127.0.0.1" or $fromhost-ip != "10.x.x.x" or $fromhost-ip != '"10.x.x.x" or $fromhost-ip != "10.x.x.x") then {
>>> action(type="omfwd" Target="x.x.x.x" Port="514" Protocol="udp" )
>>>
>>> I've tried with single quotes and double quotes around the IP addresses but it made no difference. Any suggestions on this?
>>>
>>> Cheers
>>> Brian
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.