Synopsis: |
facility(<facility-name>) or facility(<facility-code>) or facility(<facility-name>..<facility-name>) |
Description: Match messages having one of the listed facility codes.
The facility() filter accepts both the name and the numerical code of the facility or the importance level. Facility codes 0-23 are predefined and can be referenced by their usual name. Facility codes above 24 are not defined.
You can use the facility filter the following ways:
-
Use a single facility name, for example, facility(user)
-
Use a single facility code, for example, facility(1)
-
Use a facility range (works only with facility names), for example, facility(local0..local5)
The syslog-ng application recognizes the following facilities: (Note that some of these facilities are available only on specific platforms.)
Table 14: syslog Message Facilities recognized by the facility() filter
0 |
kern |
kernel messages |
1 |
user |
user-level messages |
2 |
mail |
mail system |
3 |
daemon |
system daemons |
4 |
auth |
security/authorization messages |
5 |
syslog |
messages generated internally by syslogd |
6 |
lpr |
line printer subsystem |
7 |
news |
network news subsystem |
8 |
uucp |
UUCP subsystem |
9 |
cron |
clock daemon |
10 |
authpriv |
security/authorization messages |
11 |
ftp |
FTP daemon |
12 |
ntp |
NTP subsystem |
13 |
security |
log audit |
14 |
console |
log alert |
15 |
solaris-cron |
clock daemon |
16-23 |
local0..local7 |
locally used facilities (local0-local7) |
Synopsis: |
filter(filtername) |
Description: Call another filter rule and evaluate its value. For example:
filter demo_filter { host("example") and match("deny" value("MESSAGE")) };
filter inverted_demo_filter { not filter(demo_filter) }
Description: Match messages by using a regular expression against the hostname field of log messages. Note that you can filter only on the actual content of the HOST field of the message (or what it was rewritten to). That is, syslog-ng OSE will compare the filter expression to the content of the ${HOST} macro. This means that for the IP address of a host will not match, even if the IP address and the hostname field refers to the same host. To filter on IP addresses, use the netmask() filter.
filter demo_filter { host("example") };
Synopsis: |
in-list("</path/to/file.list>", value("<field-to-filter>")) |
Description: Matches the value of the specified field to a list stored in a file, allowing you to do simple, file-based black- and whitelisting. The file must be a plain-text file, containing one entry per line. The syslog-ng OSE application loads the entire file, and compares the value of the specified field (for example, ${PROGRAM}) to entries in the file. When you use the in-list() filter, note the following points:
-
Comparing the values is case-sensitive.
-
Only exact matches are supported, partial and substring matches are not.
-
If you modify the list file, reload the configuration of syslog-ng OSE for the changes to take effect.
Available in syslog-ng OSE 3.5 and later.
Example: Selecting messages using the in-list() filter
Create a text file that contains the programs (as in the ${PROGRAM} field of their log messages) you want to select. For example, you want to forward only the logs of a few applications from a host: kernel, sshd, and sudo. Create the /etc/syslog-ng/programlist.list file with the following contents:
kernel
sshd
sudo
The following filter selects only the messages of the listed applications:
filter f_whitelist { in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };
Create the appropriate sources and destinations for your environment, then create a log path that uses the previous filter to select only the log messages of the applications you need:
log {
source(s_all);
filter(f_whitelist);
destination(d_logserver); };
To create a blacklist filter, simply negate the in-list() filter:
filter f_blacklist { not in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };