| 1 |
On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote: |
| 2 |
> Hi all, |
| 3 |
> |
| 4 |
> Has anyone here worked out how to filter out syslog messages using |
| 5 |
> syslog-ng v3? The old syntax doesn't work (well complains bitterly about |
| 6 |
> performance and says to use regex), and no matter what I try I cannot get |
| 7 |
> the new syntax to work :-/ I have a syslog-ng server which logs to MySQL |
| 8 |
> for multiple clients in a network, however the database just keeps growing |
| 9 |
> with irrelevant data I'd prefer to just quietly ignore on the server side. |
| 10 |
> |
| 11 |
> I'm trying to filter out (exclude) messages such as: |
| 12 |
> (root) CMD (/root/bin/vmware-checker) |
| 13 |
> and |
| 14 |
> (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons ) |
| 15 |
> |
| 16 |
> ============== |
| 17 |
> filter myfilter { |
| 18 |
> not match("regex" value("\/usr\/sbin\/run-crons")) |
| 19 |
> and not match("regex" value("vmware-checker")); |
| 20 |
> } |
| 21 |
|
| 22 |
Hah! this caught me out too. |
| 23 |
|
| 24 |
The value of "value" cannot be anything arbitrary - syslog-ng has no clue what |
| 25 |
you mean. The value is a field name, either a pre-defined one, or something |
| 26 |
you defined using a parser. The docs are ambiguous on this, it's not clear |
| 27 |
that the supplied values are abstracts. You are truing to search for the |
| 28 |
string "regex" in a field called /usr/bin/vmware-checker. |
| 29 |
|
| 30 |
Which obviously will not work. |
| 31 |
|
| 32 |
I think you want: |
| 33 |
|
| 34 |
match("\/usr\/sbin\/run-crons" value "MESSAGE") |
| 35 |
|
| 36 |
Note that it is MESSAGE. You want the field name, not it's dereferenced value. |
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
> log { |
| 41 |
> source(src); |
| 42 |
> source(remote); |
| 43 |
> filter(myfilter); |
| 44 |
> destination(d_mysql); |
| 45 |
> }; |
| 46 |
> =============== |
| 47 |
> |
| 48 |
> However they just keep coming through the filter (ie: not matching the "not |
| 49 |
> match" filter). I've tried escaping the slashes, not escaping them ... even |
| 50 |
> partial words, but I obviously am missing something somewhere. |
| 51 |
> |
| 52 |
> Anyone have any ideas? |
| 53 |
> |
| 54 |
> Thanks in advance, |
| 55 |
> Ralph |
| 56 |
|
| 57 |
-- |
| 58 |
alan dot mckinnon at gmail dot com |
Archives