Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1770934
  • 博文数量: 184
  • 博客积分: 10122
  • 博客等级: 上将
  • 技术积分: 5566
  • 用 户 组: 普通用户
  • 注册时间: 2005-12-08 12:32
文章存档

2011年(1)

2008年(183)

我的朋友

分类: LINUX

2008-03-03 21:35:16

3.6. Filters

Filters perform log routing within syslog-ng: a message passes the filter if the filter expression is true for the particular message. If a log statement includes filters, the messages are sent to the destinations only if they pass all filters of the log path. For example, a filter can select only the messages originating from a particular host. Complex filters can be created using filter functions and logical boolean expressions.

# 注释 :过滤器(filters)用于在 syslog-ng 中实现路由 :一个消息如果匹配某个过滤器规则,就允许通过该过滤器。

# 过滤器是在 log 语句外部定义的,并不是在 log 语句内部定义的。

# 如果一个 log 语句中含有 filters 的定义,则只有该消息匹配 “所有的 filters” 后才能被送往 destination ,注意! 是“所有的过滤器”,而不是“某个过滤器”

# 例如你可以使用过滤器选择只来自某个特定主机的消息。

# 复杂的过滤器可以使用 filter 函数和布尔表达式

To define a filter, add a filter statement to the syslog-ng configuration file using the following syntax:

# 注释 :要定义一个 filter ,使用 filter 关键字。过滤器也需要给一个名称。

filter  { expression; };

The expression may contain the following elements:

# 注释 :其中 expression 部分可以是下面的3种

#     -)1、函数

#     -)2、上级

#     -)3、布尔表达式

  • The functions listed in . Some of the functions accept extended regular expressions as parameters.

  • Parentheses

  • The boolean operators and, or, not

[Example] Example 3.7. A simple filter statement

The following filter statement selects the messages that contain the word deny and come from the host example.

# 注释 :例如下面定义一个过滤器,该过滤器过滤出含有 “deny" 字符串,且来自 example 主机的消息

# 其中 and 是布尔操作符

filter demo_filter { host("example") and match("deny"); };

For the filter to have effect, include it in a log statement:

# 注释 :要让 filter 起作用,必须先在外部定义,然后在 log 语句中引用它。

# 例如下面的 log 订中,对于来自 s1 和 s2 这两个 source 的消息,如果匹配 demo_filter 的规则(含有 deny 字符串且来自 example 主机)

# 则一律发送到 d1 和 d2 这两个 destination

log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };

The host(), match(), and program() filter functions accept regular expressions as parameters.

# 注释 :host()和 match()、program()这三个都是 filter 函数,它们可以接受 regexp

filter demo_regexp_filter { host("system.*1") and match("deny"); };
[Note] Note

When a log statement includes multiple filter statements, syslog-ng sends a message to the destination only if all filters are true for the message. In other words, the filters are connected with the logical AND operator. In the following example, no message arrives to the destination, because the filters are exclusive (the hostname of a client cannot be example1 and example2 at the same time):

# 注释 :当一个 log 语句含有多个过滤器语句时,则只有该消息匹配所有的过滤器时才会被发往 destination 。 也就是说,过滤器之间是以 AND 关系连接的。

# 在下面的例子中,是不会有任何消息被发往 destination 的,因为各个 filter 之间是互斥的关系,规则消息必须同时来自 example1 和 example2 主机,这是不可能的。

                filter demo_filter1 { host("example1"); };
filter demo_filter2 { host("example2"); };

log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter1); filter(demo_filter2);
destination(d1); destination(d2); };

To select the messages that come from either host example1 or example2, use a single filter expression:

# 注释 :如果要表示 OR  的关系,只需要使用1个 filter ,然后多个 item 之间用 or 连接就可以了。

                filter demo_filter { host("example1") or host("example2"); };

log demo_filteredlog{
source(s1); source(s2);
filter(demo_filter);
destination(d1); destination(d2); };

In the extended regular expressions, the characters ()[].*?+^$ are used as special symbols. Therefore, these characters have to be preceded with a backslash (\) if they are meant literally. For example, the \$40 expression matches the $40 string. Backslashes have to be escaped as well if they are meant literally. For example, the \\d expression matches the \d string.

# 注释 :由于 filter 可以使用 regexp ,所以象 ( ) 、[ ]、*、?、+、^ 、$ 都是特殊字符,如果要匹配它们,必须用 \ 进行转义 。

# 例如要匹配含有 $40字符串的消息,用 \$40

By default, all regular expressions are case sensitive. To disable the case sensitivity of the expression, start the expression with the (?i) string.

# 注释 :默认情况下,所有的 regexp 都是区分大小写的,要禁止该功能,在 regexp 之前加上 '(?i)' 字符串

filter demo_regexp_insensitive { host("(?i)system"); };   
[Note] Note

In regular expressions, the asterisk (*) character means 0, 1 or any number of the previous expression. For example, in the f*ilter expression the asterisk means 0 or more f letters. This expression matches for the following strings: ilter, filter, ffilter, etc. To achieve the wildcard functionality commonly represented by the asterisk character in other applications, use .* in your expressions, e.g., f.*ilter.

The level() filter can select messages corresponding to a single importance level, or a level-range. To select messages of a specific level, use the name of the level as a filter parameter, e.g., use the following to select warning messages:

# 注释 :level()过滤器函数可以根据 serveirty 来过滤,你可以指定多个 severity ,也可以指定一个范围。例如下面只过滤出 serverity 为 warning 的消息

level(warning)            

To select a range of levels, include the beginning and the ending level in the filter, separated with two dots (..). For example, to select every message of error or higher level, use the following filter:

# 注释 :如果要表示范围,用 .. 的格式,例如下面过滤器出所有从 err 到 emerg 级别的消息

# 补充 :这种过滤实际上是根据这些 severity 的内部编号来进行的。

level(err..emerg)            

Similarly, messages sent by a range of facilities can also be selected. Note that this is only possible when using the name of the facilities. It is not possible to select ranges the numerical codes of the facilities.

# 注释 :同样也有一个 facility 的过滤器函数,可以用于过滤出特定的 faiclity ,它也支持 range 过滤。

# 它也是根据 facility 的内部编号进行过滤。

facility(local0..local5)            

For a complete list of the available levels and facilities, see .

For a complete description on the above functions, see .


阅读(1129) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~