I've been tasked with migrating a syslog-ng server from version 2 to 3. I made changes to the the following rules, but it seems they are no longer working:
Original:
filter f_useless { match("cpelocator") or match("rtmiddled") or match ("laffer") or match("qdsm-update") or match("evmiddled") or match("alarmtool") or match("last message repeated") or match("check_relay_dev_alive") or match("cpestatus") or match ("win_sec-5447-ux-success") or match ("summary.pl") or match("ciscoios-%SEC-6-IPACCESSLOGRL") or match("rtticket") or match("asa-711005") or match("check_relay") or match("segfault") or match("ciscoios-%DOT1X-3-MAX_EAPOL_KEY_RETRANS") or match("ciscoios-%DOT1X-3-PSK_CONFIG_ERR") or match("asa-210005") or match ("HTTP") and message("Subject")); }; The new rule (since match was deprecated) reads as:
filter f_useless { message("cpelocator") or message("rtmiddled") or message("laffer") or message("qdsm-update") or message("evmiddled") or message("alarmtool") or message("last message repeated") or message("check_relay_dev_alive") or message("cpestatus") or message("win_sec-5447-ux-success") or message("summary.pl") or message("ciscoios-%SEC-6-IPACCESSLOGRL") or message("rtticket") or message("asa-711005") or message("check_relay") or message("segfault") or message("ciscoios-%DOT1X-3-MAX_EAPOL_KEY_RETRANS") or message("ciscoios-%DOT1X-3-PSK_CONFIG_ERR") or message("asa-210005") or message("HTTP") and message("Subject")); }; If seems these are no longer getting flagged as useless, and are still pushing through. I can't post on the syslog-ng forums (for some reason their authentication service thinks my work IP is a spammer). Any ideas on what i may be doing wrong?
[link][6 comments]