Syslog-ng filter. How to log the exception?

[webuser6479]

Team,

I would like to deploy the syslog-ng like below and not sure if that's possible.

1. Configure all network devices to send log to Host A that's running syslog-ng.
2. On Host A, apply a filter that matches certain strings in the log. If it matches, it forwards those events to Host B. Anything not forwarded(or say not matched to the filters) should be logged to a local log file for review later on.

What I was able to figure out is forwarding the logs with filter. However I can't figure out how to define a filter that covers what's not matched. I thought about using "not" in the filter and create another filter to inverse it. However if there is any neat trick, I would like to learn.

Thanks in advance,

Sam

[mutex]

I think you're looking for this:

filter f_test { not match("test"); };

[webuser6479]

That's what I did. I was hoping there was a way to negate whole complex filter easily. I have multiple nested filters like this. I am showing you a smaller subset of my filters. I have roughly 11 individual filters called by main one.

filter f_pix {
  filter(f_pix_5) and filter(f_pix_6);
  };
filter f_pix_6 {
  not match("(PIX|ASA)-6-(30501[12]|106100)|30201[3-6]|106015:");
  };
filter f_pix_5 {
  not match("(PIX|ASA)-5-304001:");
  };

[mutex]

You could do something like this:

Code:

filter f_notpix {
  not filter(f_pix);
};

filter f_pix {
  filter(f_pix_5) and filter(f_pix_6);
  };
filter f_pix_6 {
  not match("(PIX|ASA)-6-(30501[12]|106100)|30201[3-6]|106015:");
  };
filter f_pix_5 {
  not match("(PIX|ASA)-5-304001:");
  };

or am I missing something more?