Contains is a comparison operation just like ==. That's why you got the error. Use David's other sample.
Rainer Sent from phone, thus brief. Am 04.04.2014 23:04 schrieb "Campbell, Jeff" <[email protected]>: > Here's a snippit of working config from rsyslog 7.6.x in our environment: > > if $hostname startswith_i 'sillysystem' then { > if $msg contains '192.168.22.8' then stop > else { > -?DYNsilly > stop > } > } > > For your case, drop the parens (and changing from double to single > quotes?? not sure that matters???). > > Jeff > > On 4 Apr 2014, at 4:56p, robert s <[email protected]> wrote: > > > hmmm > > > > so I used this syntax: > > > > if $fromhost=="myhost" and $rawmsg contains("192.169.100.48") then stop > > > > but im still getiing messages that contain the 192.169.100.48 in it...? > > > > would the contain need a comma afterwards? > > > > i.e > > > > contains, ? > > > > Robert > > > > > > On Fri, Apr 4, 2014 at 3:29 PM, David Lang <[email protected]> wrote: > >> On Fri, 4 Apr 2014, robert s wrote: > >> > >>> use for each situation that arises > >>> > >>> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" then stop > * > >> > >> > >> the * would be a syntax error, also, I think contains is a function so I > >> believe the result would just be > >> > >> if $fromhost=="myhost" and $rawmsg contains("192.169.100.48") then stop > >> > >> If I'm wrong about the contains it would be: > >> > >> > >> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" then stop > >> > >> > >> David Lang > >> > >> > >>> the filter above would discard the message if the filter applies > correct? > >>> > >>> Robert > >>> > >>> > >>> On Fri, Apr 4, 2014 at 12:03 PM, Rainer Gerhards > >>> <[email protected]> wrote: > >>>> > >>>> On Fri, Apr 4, 2014 at 5:57 PM, robert s <[email protected]> > wrote: > >>>> > >>>>> so In this case would the following line work to compound the > statement? > >>>>> > >>>>> if $fromhost=="myhost" and $rawmsg contains "192.169.100.48" ~ > >>>>> > >>>>> > >>>> "then" is missing after the condition,but otherwise that's it. If on > v7+, > >>>> I > >>>> also suggest to use "stop" instead of "~" as this is more obvious of > what > >>>> it does. > >>>> > >>>> Rainer > >>>> > >>>>> Robert > >>>>> > >>>>> > >>>>> On Tue, Apr 1, 2014 at 6:46 PM, David Lang <[email protected]> wrote: > >>>>>> > >>>>>> No, you can't use the > >>>>>> :var, condition, string > >>>>>> > >>>>>> type of syntax with and/or > >>>>>> > >>>>>> you have to use the if..then type of filters. > >>>>>> > >>>>>> David Lang > >>>>>> > >>>>>> On Tue, 1 Apr 2014, robert s wrote: > >>>>>> > >>>>>>> Date: Tue, 1 Apr 2014 17:09:50 -0400 > >>>>>>> From: robert s <[email protected]> > >>>>>>> Reply-To: rsyslog-users <[email protected]> > >>>>>>> To: rsyslog-users <[email protected]> > >>>>>>> Subject: [rsyslog] multiple filters > >>>>>>> > >>>>>>> > >>>>>>> Hello Guys, > >>>>>>> > >>>>>>> Hope all is well, it seems that the website revamping project is > going > >>>>>>> fantastic, really like the new layout, and finding things are much > >>>>>>> easier to get to, so kudos > >>>>>>> > >>>>>>> In the documentation I have been looking for adding more > statements to > >>>>>>> filters like "and "or" > >>>>>>> > >>>>>>> on the filter page there's some useful info regarding this, and I > am > >>>>>>> curious with the new syntax if my example below would be correct? > >>>>>>> > >>>>>>> $msg startswith 'GenericLog' and ($msg contains '192.168.100.49' ~ > >>>>>>> > >>>>>>> so I am curious if the way I written below would be the way to > write > >>>>>>> it? > >>>>>>> > >>>>>>> :rawmsg, startswith, "GenericLog#" and (rawmsg, contains, > >>>>>>> "192.168.100.49") ~ > >>>>>>> > >>>>>>> and the ~ still discards the message ? > >>>>>>> > >>>>>>> Thanks in advance > >>>>>>> > >>>>>>> Robert > >>>>>>> _______________________________________________ > >>>>>>> rsyslog mailing list > >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>>> myriad > >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >>>>> > >>>>> DON'T > >>>>>>> > >>>>>>> LIKE THAT. > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>> myriad > >>>>> > >>>>> of > >>>>>> > >>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T > >>>>>> LIKE THAT. > >>>>> > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >>>>> DON'T LIKE THAT. > >>>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you DON'T > >>>> LIKE THAT. > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >>> LIKE THAT. > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > >> LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
