-
标题
How to configure custom filter in log path -
说明
This knowledge article will show through some examples how to use custom filter in a log path of Syslog-ng Store Box (SSB). -
解决办法
Note:
For application configuration or implementation advice we recommend our Professional Services Organization. For information on how to contact them please visit
https://support.oneidentity.com/syslog-ng-store-box/professional-services
Standard filters of SSB
By default, filtering in SSB is limited only simple filters can be set up in a log path. If multiple filters are set for a log path, only messages complying to every filter are sent to the destinations. In other words, filters are added using the logical AND operation.
Currently, SSB supports the following filters functions using with 'not' and 'and' logical operators:
facility: Selects messages sent by a specific facility (for example, kernel).
host: Selects messages sent by a specific host.
message: Selects messages containing a specific keyword or POSIX (extended) regular expression in the text of the log message (excluding the headers).
priority: Selects messages of a specific priority.
program: Selects messages sent by a specific application.
sender: Filters on the address of the host that sent the message to SSB.
classifier_class: Selects messages of a specific class (eg. Violation) analyzed by PatternDB.
- classifier_rule_id: Selects messages matching with the specific PatternDB rule id.
Custom filters
Using custom filters the following functions become available
- additional filters
- filtering on specific message fields and macros
- 'or' operator
- grouping filters
The syntax of the 'Custom filter' must be formatted as the filters of syslog-ng Premium Edition.More details about filtering can be found in the section "Routing messages: log paths, flags, and filters" of the syslog-ng's administration guide. SSB 5.x.x, SSB 6.x.x
Custom filter examples
Additional filter functions
The following additional filter functions can be used in custom filters: match(), netmask(), netmask6(), source(), tags().For details see the administration guide of syslog-ng PE.
Example: Filtering the messages sent by a host from the 10.21.10.0/24 network.
netmask(10.21.10.0/24)Specific message fields and macros
The match() filter makes possible to filter on specific macros.
Example: Filtering IETF syslog messages which contain an SDATA key called 'client_ip' with the value '10.21.10.10'.
match("10.21.10.10" value(.SDATA.client_ip))Operators: or, and, not
Multiple 'or' operator can be used in a filter expression.
Example: Filtering messages sent by hostA or hostB or hostC.
host("hostA") or host("hostB") or host("hostC")
Example: Filtering messages sent not containing strings1 neither string2.
not message("string1") and not message("string2")
Grouping filters
Using parenthesis it is possible create filter groups to create complex filters.
Example: Filtering messages containing 'started' or 'stopped', sent by hostA or hostB and the sender application is not 'sshd'.
(message("started") or message("stopped")) and (host("hostA") or host("hostB")) and not program("sshd")Comparing macro values in filters
Numerical operator String operator Meaning == eq Equals != ne Not equal to > gt Greater than < lt Less than >= ge Greater than or equal <= le Less than or equal Example1: Filtering messages with priority level less than 4. (Error, Critical, Alert, Emergency)
"${LEVEL_NUM}" < "4"Example2: Filtering messages sent by the application sshd or CRON.
"${PROGRAM}" eq "sshd" or "${PROGRAM}" eq "CRON"
Example3: Filtering messages sent by hostname.
"${HOST}" == "host1" or
"${HOST}" == "host2";For more information about filtering, please see the SSB Administration guide.