in-list filter with MESSAGE content

Q & ACategory: Questionsin-list filter with MESSAGE content
gjoshi asked 5 months ago

I am trying to filter messages matching text stored in a txt file (plain txt , exact match , one word each line). but its not working 

filter f_userlist { in-list("/etc/syslog-ng/userlist.list", value("MESSAGE")); };    ---> NOT WORKING

however it works with value(“PROGRAM”) 

filter f_whitelist { in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); };  --->WORKING

anything missing ? or in-list filter doenot work with message contents .

1 Answers
Róbert Fekete Staff answered 5 months ago

Hi, AFAIK it should work for the MESSAGE as well. My guess is that the incoming message and the sample in the inlist file are not exact matches, or it’s possible that syslog-ng has a limit on the length of the line that it reads from the inlist file, and truncates it if it is longer (and hence they do not match). 
I’d suggest to check how long your messages in the inlist file are, and see if it works only for shorter messages, and to use a dummy destination file with just $MESSAGE as a template to compare the MESSAGE part of the incoming messages really matches the inlist file.