Hello,
I am trying to convert my syslog-ng Filter to a working rsyslog Filter
Configuration. Here is my
syslog-ng Filter:
destination d_antispam { file("/var/log/mail_antispam"); };
filter f_antispam { facility(mail) and not match("[email protected]") and not
match("localhost.example.de") and not match("[email protected]") and not
match("maildummy@") and not
match("nob...@example") and not match("spamdrop") and not match("NOQUEUE") and not
match("reject:")
and ((match("to=<") and match("status=sent") and not match("relay=procmail")
and not
match("relay=/var/lib/imap/socket/lmtp") and not match("relay=local") and not
match("relay=10.0.50.2")) or match("from=<.*example\.de>")); };
log { source(src); filter(f_antispam); destination(d_antispam); };
This Filter is to get all the mails, that were send from example.de users, so I
can re-use them to
make a whitelist.
I tried to make an expression Based Filter:
if $syslogfacility-text == 'mail' and not $msg contains '[email protected]' and
not $msg contains
'localhost.example.de' and not $msg contains '[email protected]' and not $msg
contains 'maildummy@'
and not $msg contains 'nob...@example' and not $msg contains 'spamdrop' and not
$msg contains
'NOQUEUE' and not $msg contains 'reject:' and ( $msg contains 'to=<' and $msg
contains 'status=sent'
and not $msg contains 'relay=procmail' and not $msg contains
'relay=/var/lib/imap/socket/lmtp' and
not $msg contains 'relay=local' and not $msg contains 'relay=10.0.50.2' ) or
$msg contains
'from=<.*example.de>' then /var/log/mail_antispam
And also a property based:
:msg, contains, "to=<" ~
:msg, contains, "status=sent" ~
:msg, regex, "from=<*example\.de>" ~
:msg, !contains, "localhost.example.de" ~
:msg, !contains, "[email protected]" ~
:msg, !contains, "maildummy@" ~
:msg, !contains, "[email protected]" ~
:msg, !contains, "spamdrop" ~
:msg, !contains, "NOQUEUE" ~
:msg, !contains, "reject:" ~
:msg, !contains, "relay=procmail" ~
:msg, !contains, "relay=/var/lib/imap/socket/lmtp" ~
:msg, !contains, "relay=local" ~
:msg, !contains, "relay=10.0.50.2" ~
mail.* -/var/log/mail_antispam
At the Property based Filters - I do not understand how to make an AND or an
OR... and at the
expression based one, I have totally no Idea, why it isn't working.
I hope someone can give me a clue about what my mistake is.
Best Regards and thank you very much in Advance,
Markus
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
