This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Exclude text string in Syslog rule

I am trying to setup a syslog rule that will email me all syslogs from a set of hosts except messages with a specific text string in the syslog message body.  I have been able to get the rule setup, but I can’t figure out how to exclude those messages with that specific string.  It doesn’t look like the Syslog Message Pattern box accepts any specific syntax to exclude a string.  I have looked through the help and thwack and can’t find anything about this.  Has anyone tried to do something like this before?

  • It sounds like what you need will require some Regular Expression magic.

    If you post the details regarding what exactly you are trying to pass/exclude somebody might be able to help you.

  • Interesting. I did not think regex by itself could exclude traffic, i thought it was just for complex patern matching.

    I want to exclude the text "A.DS2" (without quotes), but include everything else.

    Anyone know some regex to accomplish this?

  • That would be something like:

    (Message NOT LIKE '*A.DS2*')

  • Where would I put that?

    I have tried putting that string into the "Syslog Message Pattern" box in the Syslog alert GUI, but it does not match anything.

  • Did you check use RegEx?  Also there are some free regex editors out there you can download to help you write regular expressions

  • If the above doesn't work.

    Just create another rule to match your text and in the actions select discard syslog (if you want to delete it) and stop processing rules(don't omit this part even if you discard the message or it will not work).  Then make sure your new rule comes before the one that sends the email.

    Thats the method I use and I can add more expressions to it easily.

  • For anyone else following this or reading it in the future, tonyreel is correct. The only way to do this is to add a seperate syslog rule ABOVE your existing rule(s) that includes "Stop Processing Syslog Rules" and optionally "Discard the Syslog Message". There does not seem to be any way to EXCLUDE syslog messages with Regex. Regex is for complex pattern matching.  So you could use Regex if you wanted to match a complex pattern for exclusion, but the key is that it would have to be a separate rule ABOVE the other rule(s) and include the "Stop Processing Syslog Rules" action.