1 |
Fantastic, you hit the nail right on the head! Works like a charm now. |
2 |
|
3 |
Now I'm wondering how it is you found out that it was this way and not the |
4 |
other? Robert maintains the documentation for rsync which I did look at, but |
5 |
with 225 pages I wasn't able to find this useful piece of information. Man |
6 |
syslog-ng.conf does not explain it either, in fact I searched Google and |
7 |
found several "tutorials", none mentioning this ;-) |
8 |
|
9 |
Maybe I'm the idiot here, however I thought that this was a common way of |
10 |
getting rid of unwanted crud from the syslog? |
11 |
|
12 |
Also, I just read the gentoo-wiki site page again and it says : |
13 |
|
14 |
filter f_shorewall { not match("regex" value("Shorewall")); }; # |
15 |
Filter everything except regex keyword Shorewall |
16 |
|
17 |
Surely this is the exact same mistake I made? Either that or I'm reading it |
18 |
wrong.... |
19 |
|
20 |
|
21 |
|
22 |
|
23 |
|
24 |
On 17 March 2010 23:39, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
25 |
|
26 |
> On Wednesday 17 March 2010 01:22:59 Ralph Slooten wrote: |
27 |
> > Hi all, |
28 |
> > |
29 |
> > Has anyone here worked out how to filter out syslog messages using |
30 |
> > syslog-ng v3? The old syntax doesn't work (well complains bitterly about |
31 |
> > performance and says to use regex), and no matter what I try I cannot get |
32 |
> > the new syntax to work :-/ I have a syslog-ng server which logs to MySQL |
33 |
> > for multiple clients in a network, however the database just keeps |
34 |
> growing |
35 |
> > with irrelevant data I'd prefer to just quietly ignore on the server |
36 |
> side. |
37 |
> > |
38 |
> > I'm trying to filter out (exclude) messages such as: |
39 |
> > (root) CMD (/root/bin/vmware-checker) |
40 |
> > and |
41 |
> > (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons ) |
42 |
> > |
43 |
> > ============== |
44 |
> > filter myfilter { |
45 |
> > not match("regex" value("\/usr\/sbin\/run-crons")) |
46 |
> > and not match("regex" value("vmware-checker")); |
47 |
> > } |
48 |
> |
49 |
> Hah! this caught me out too. |
50 |
> |
51 |
> The value of "value" cannot be anything arbitrary - syslog-ng has no clue |
52 |
> what |
53 |
> you mean. The value is a field name, either a pre-defined one, or something |
54 |
> you defined using a parser. The docs are ambiguous on this, it's not clear |
55 |
> that the supplied values are abstracts. You are truing to search for the |
56 |
> string "regex" in a field called /usr/bin/vmware-checker. |
57 |
> |
58 |
> Which obviously will not work. |
59 |
> |
60 |
> I think you want: |
61 |
> |
62 |
> match("\/usr\/sbin\/run-crons" value "MESSAGE") |
63 |
> |
64 |
> Note that it is MESSAGE. You want the field name, not it's dereferenced |
65 |
> value. |
66 |
> |
67 |
> |
68 |
> |
69 |
> > log { |
70 |
> > source(src); |
71 |
> > source(remote); |
72 |
> > filter(myfilter); |
73 |
> > destination(d_mysql); |
74 |
> > }; |
75 |
> > =============== |
76 |
> > |
77 |
> > However they just keep coming through the filter (ie: not matching the |
78 |
> "not |
79 |
> > match" filter). I've tried escaping the slashes, not escaping them ... |
80 |
> even |
81 |
> > partial words, but I obviously am missing something somewhere. |
82 |
> > |
83 |
> > Anyone have any ideas? |
84 |
> > |
85 |
> > Thanks in advance, |
86 |
> > Ralph |
87 |
> |
88 |
> -- |
89 |
> alan dot mckinnon at gmail dot com |
90 |
> |