1 |
On Wednesday 17 March 2010 22:16:20 Ralph Slooten wrote: |
2 |
> Fantastic, you hit the nail right on the head! Works like a charm now. |
3 |
> |
4 |
> Now I'm wondering how it is you found out that it was this way and not the |
5 |
> other? Robert maintains the documentation for rsync which I did look at, |
6 |
> but with 225 pages I wasn't able to find this useful piece of information. |
7 |
> Man syslog-ng.conf does not explain it either, in fact I searched Google |
8 |
> and found several "tutorials", none mentioning this ;-) |
9 |
|
10 |
I read documentation, man pages and google all day every day, some things just |
11 |
get intuitive :-) |
12 |
|
13 |
Seriously though, there are a few hints. Syslog-ng's config file format was |
14 |
written by programmers for programmers to be understood by programmers. That |
15 |
may not have been the stated intent, but it is how things turned out. The |
16 |
syntax is exactly that of C, all the way down to braces and statement |
17 |
terminators. So, when reading the docs, I flicked the switch that puts my |
18 |
brain in C-mode. |
19 |
|
20 |
Also, there's an example in the admin guide pdf chapter 3 "Configuring syslog- |
21 |
ng", something like: |
22 |
|
23 |
match("string" value(MESSAGE); |
24 |
|
25 |
It says that MESSAGE is exactly that and must not be dereferenced with "$" |
26 |
|
27 |
That was a dead give-away |
28 |
|
29 |
> |
30 |
> Maybe I'm the idiot here, however I thought that this was a common way of |
31 |
> getting rid of unwanted crud from the syslog? |
32 |
|
33 |
It IS the ideal way to pre-filter logs based on the message content. Pre |
34 |
version 3, you could only match on the entire message, so the feature to be |
35 |
able to search just a user-defined chunk of the log entry is a major plus |
36 |
|
37 |
> Also, I just read the gentoo-wiki site page again and it says : |
38 |
> |
39 |
> filter f_shorewall { not match("regex" value("Shorewall")); }; # |
40 |
> Filter everything except regex keyword Shorewall |
41 |
> |
42 |
> Surely this is the exact same mistake I made? Either that or I'm reading it |
43 |
> wrong.... |
44 |
|
45 |
No, you are not reading it wrong - the gentoo guide is wrong. It's a common |
46 |
mistake, as the syntax looks like it's a name-value pair. To my mind, the |
47 |
label "value" should instead be "field" or some synonym of that. |
48 |
|
49 |
All the evidence indicates to me that the syntax makes sense once you "get" |
50 |
how it works, but most folks' initial assumption about it is wrong, and the |
51 |
developer never spotted his serious case of being blinded by his own |
52 |
understanding. |
53 |
|
54 |
I see Robert responded here earlier. Perhaps he'll see this post and re-look |
55 |
at that section in a new light with a view to making a patch |
56 |
|
57 |
|
58 |
|
59 |
> |
60 |
> On 17 March 2010 23:39, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
61 |
> > On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote: |
62 |
> > > Hi all, |
63 |
> > > |
64 |
> > > Has anyone here worked out how to filter out syslog messages using |
65 |
> > > syslog-ng v3? The old syntax doesn't work (well complains bitterly |
66 |
> > > about performance and says to use regex), and no matter what I try I |
67 |
> > > cannot get the new syntax to work :-/ I have a syslog-ng server which |
68 |
> > > logs to MySQL for multiple clients in a network, however the database |
69 |
> > > just keeps |
70 |
> > |
71 |
> > growing |
72 |
> > |
73 |
> > > with irrelevant data I'd prefer to just quietly ignore on the server |
74 |
> > |
75 |
> > side. |
76 |
> > |
77 |
> > > I'm trying to filter out (exclude) messages such as: |
78 |
> > > (root) CMD (/root/bin/vmware-checker) |
79 |
> > > |
80 |
> > > and |
81 |
> > > |
82 |
> > > (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons ) |
83 |
> > > |
84 |
> > > ============== |
85 |
> > > filter myfilter { |
86 |
> > > |
87 |
> > > not match("regex" value("\/usr\/sbin\/run-crons")) |
88 |
> > > and not match("regex" value("vmware-checker")); |
89 |
> > > |
90 |
> > > } |
91 |
> > |
92 |
> > Hah! this caught me out too. |
93 |
> > |
94 |
> > The value of "value" cannot be anything arbitrary - syslog-ng has no clue |
95 |
> > what |
96 |
> > you mean. The value is a field name, either a pre-defined one, or |
97 |
> > something you defined using a parser. The docs are ambiguous on this, |
98 |
> > it's not clear that the supplied values are abstracts. You are truing to |
99 |
> > search for the string "regex" in a field called /usr/bin/vmware-checker. |
100 |
> > |
101 |
> > Which obviously will not work. |
102 |
> > |
103 |
> > I think you want: |
104 |
> > |
105 |
> > match("\/usr\/sbin\/run-crons" value "MESSAGE") |
106 |
> > |
107 |
> > Note that it is MESSAGE. You want the field name, not it's dereferenced |
108 |
> > value. |
109 |
> > |
110 |
> > > log { |
111 |
> > > |
112 |
> > > source(src); |
113 |
> > > source(remote); |
114 |
> > > filter(myfilter); |
115 |
> > > destination(d_mysql); |
116 |
> > > |
117 |
> > > }; |
118 |
> > > =============== |
119 |
> > > |
120 |
> > > However they just keep coming through the filter (ie: not matching the |
121 |
> > |
122 |
> > "not |
123 |
> > |
124 |
> > > match" filter). I've tried escaping the slashes, not escaping them ... |
125 |
> > |
126 |
> > even |
127 |
> > |
128 |
> > > partial words, but I obviously am missing something somewhere. |
129 |
> > > |
130 |
> > > Anyone have any ideas? |
131 |
> > > |
132 |
> > > Thanks in advance, |
133 |
> > > Ralph |
134 |
> > |
135 |
> > -- |
136 |
> > alan dot mckinnon at gmail dot com |
137 |
|
138 |
-- |
139 |
alan dot mckinnon at gmail dot com |