| 1 |
On Wednesday 17 March 2010 22:16:20 Ralph Slooten wrote: |
| 2 |
> Fantastic, you hit the nail right on the head! Works like a charm now. |
| 3 |
> |
| 4 |
> Now I'm wondering how it is you found out that it was this way and not the |
| 5 |
> other? Robert maintains the documentation for rsync which I did look at, |
| 6 |
> but with 225 pages I wasn't able to find this useful piece of information. |
| 7 |
> Man syslog-ng.conf does not explain it either, in fact I searched Google |
| 8 |
> and found several "tutorials", none mentioning this ;-) |
| 9 |
|
| 10 |
I read documentation, man pages and google all day every day, some things just |
| 11 |
get intuitive :-) |
| 12 |
|
| 13 |
Seriously though, there are a few hints. Syslog-ng's config file format was |
| 14 |
written by programmers for programmers to be understood by programmers. That |
| 15 |
may not have been the stated intent, but it is how things turned out. The |
| 16 |
syntax is exactly that of C, all the way down to braces and statement |
| 17 |
terminators. So, when reading the docs, I flicked the switch that puts my |
| 18 |
brain in C-mode. |
| 19 |
|
| 20 |
Also, there's an example in the admin guide pdf chapter 3 "Configuring syslog- |
| 21 |
ng", something like: |
| 22 |
|
| 23 |
match("string" value(MESSAGE); |
| 24 |
|
| 25 |
It says that MESSAGE is exactly that and must not be dereferenced with "$" |
| 26 |
|
| 27 |
That was a dead give-away |
| 28 |
|
| 29 |
> |
| 30 |
> Maybe I'm the idiot here, however I thought that this was a common way of |
| 31 |
> getting rid of unwanted crud from the syslog? |
| 32 |
|
| 33 |
It IS the ideal way to pre-filter logs based on the message content. Pre |
| 34 |
version 3, you could only match on the entire message, so the feature to be |
| 35 |
able to search just a user-defined chunk of the log entry is a major plus |
| 36 |
|
| 37 |
> Also, I just read the gentoo-wiki site page again and it says : |
| 38 |
> |
| 39 |
> filter f_shorewall { not match("regex" value("Shorewall")); }; # |
| 40 |
> Filter everything except regex keyword Shorewall |
| 41 |
> |
| 42 |
> Surely this is the exact same mistake I made? Either that or I'm reading it |
| 43 |
> wrong.... |
| 44 |
|
| 45 |
No, you are not reading it wrong - the gentoo guide is wrong. It's a common |
| 46 |
mistake, as the syntax looks like it's a name-value pair. To my mind, the |
| 47 |
label "value" should instead be "field" or some synonym of that. |
| 48 |
|
| 49 |
All the evidence indicates to me that the syntax makes sense once you "get" |
| 50 |
how it works, but most folks' initial assumption about it is wrong, and the |
| 51 |
developer never spotted his serious case of being blinded by his own |
| 52 |
understanding. |
| 53 |
|
| 54 |
I see Robert responded here earlier. Perhaps he'll see this post and re-look |
| 55 |
at that section in a new light with a view to making a patch |
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
> |
| 60 |
> On 17 March 2010 23:39, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 61 |
> > On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote: |
| 62 |
> > > Hi all, |
| 63 |
> > > |
| 64 |
> > > Has anyone here worked out how to filter out syslog messages using |
| 65 |
> > > syslog-ng v3? The old syntax doesn't work (well complains bitterly |
| 66 |
> > > about performance and says to use regex), and no matter what I try I |
| 67 |
> > > cannot get the new syntax to work :-/ I have a syslog-ng server which |
| 68 |
> > > logs to MySQL for multiple clients in a network, however the database |
| 69 |
> > > just keeps |
| 70 |
> > |
| 71 |
> > growing |
| 72 |
> > |
| 73 |
> > > with irrelevant data I'd prefer to just quietly ignore on the server |
| 74 |
> > |
| 75 |
> > side. |
| 76 |
> > |
| 77 |
> > > I'm trying to filter out (exclude) messages such as: |
| 78 |
> > > (root) CMD (/root/bin/vmware-checker) |
| 79 |
> > > |
| 80 |
> > > and |
| 81 |
> > > |
| 82 |
> > > (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons ) |
| 83 |
> > > |
| 84 |
> > > ============== |
| 85 |
> > > filter myfilter { |
| 86 |
> > > |
| 87 |
> > > not match("regex" value("\/usr\/sbin\/run-crons")) |
| 88 |
> > > and not match("regex" value("vmware-checker")); |
| 89 |
> > > |
| 90 |
> > > } |
| 91 |
> > |
| 92 |
> > Hah! this caught me out too. |
| 93 |
> > |
| 94 |
> > The value of "value" cannot be anything arbitrary - syslog-ng has no clue |
| 95 |
> > what |
| 96 |
> > you mean. The value is a field name, either a pre-defined one, or |
| 97 |
> > something you defined using a parser. The docs are ambiguous on this, |
| 98 |
> > it's not clear that the supplied values are abstracts. You are truing to |
| 99 |
> > search for the string "regex" in a field called /usr/bin/vmware-checker. |
| 100 |
> > |
| 101 |
> > Which obviously will not work. |
| 102 |
> > |
| 103 |
> > I think you want: |
| 104 |
> > |
| 105 |
> > match("\/usr\/sbin\/run-crons" value "MESSAGE") |
| 106 |
> > |
| 107 |
> > Note that it is MESSAGE. You want the field name, not it's dereferenced |
| 108 |
> > value. |
| 109 |
> > |
| 110 |
> > > log { |
| 111 |
> > > |
| 112 |
> > > source(src); |
| 113 |
> > > source(remote); |
| 114 |
> > > filter(myfilter); |
| 115 |
> > > destination(d_mysql); |
| 116 |
> > > |
| 117 |
> > > }; |
| 118 |
> > > =============== |
| 119 |
> > > |
| 120 |
> > > However they just keep coming through the filter (ie: not matching the |
| 121 |
> > |
| 122 |
> > "not |
| 123 |
> > |
| 124 |
> > > match" filter). I've tried escaping the slashes, not escaping them ... |
| 125 |
> > |
| 126 |
> > even |
| 127 |
> > |
| 128 |
> > > partial words, but I obviously am missing something somewhere. |
| 129 |
> > > |
| 130 |
> > > Anyone have any ideas? |
| 131 |
> > > |
| 132 |
> > > Thanks in advance, |
| 133 |
> > > Ralph |
| 134 |
> > |
| 135 |
> > -- |
| 136 |
> > alan dot mckinnon at gmail dot com |
| 137 |
|
| 138 |
-- |
| 139 |
alan dot mckinnon at gmail dot com |
Archives