Re: [syslog-ng] Not able to match on a field in syslog messages from a DataPower Appliance
USER.DEBUG: Jul 15 18:23:44 DPRASSyslogAudit3 [system][debug] trans(383): cpu usage: 57%(10 sec) 57%(1 min) 57%(10 min) 56%(1 hour) 58%(1 day)
In syslog wire protocol the field immediately after the timestamp is the hostname, so this message would be interpreted as being from a host called DPRASSyslogAudit3. Your filters are not matching these messages because match() only matches elements of the message body and the text you're looking for does not appear in the message body.
Joe.
That's actually what thought (but forgot to mention in my earlier email), but when I try to match on host it doesn't catch anything either. Neither of these catch anything: filter group_syncDPextest { host("DP[:digit:]+Syslog") or host("DPRASSyslogAudit[:digit:]+") ;}; filter group_syncDPextest { host("DP") ;}; Is this because the host filter actually comes from the source host of the packet and not the message itself? Are DataPower's syslog messages just broken or non-rfc complient? Should I just give up and try to match on other strings in the message? Thanks again for all your help on this weird problem. Adam
Hi,
USER.DEBUG: Jul 15 18:23:44 DPRASSyslogAudit3 [system][debug] trans(383): cpu usage: 57%(10 sec) 57%(1 min) 57%(10 min) 56%(1 hour) 58%(1 day)
In syslog wire protocol the field immediately after the timestamp is the hostname, so this message would be interpreted as being from a host called DPRASSyslogAudit3. Your filters are not matching these messages because match() only matches elements of the message body and the text you're looking for does not appear in the message body.
Joe.
That's actually what thought (but forgot to mention in my earlier email), but when I try to match on host it doesn't catch anything either. Neither of these catch anything:
filter group_syncDPextest { host("DP[:digit:]+Syslog") or host("DPRASSyslogAudit[:digit:]+") ;};
Correct me if I'm wrong but [:digit:] isn't exactly what you're after. Use [[:digit:]] instead. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Correct me if I'm wrong but [:digit:] isn't exactly what you're after. Use [[:digit:]] instead.
Yes, looking closer at the syntax I believe you are absolutely right. Sorry for the oversight. I believe a actually want to use + for one or more: [[:digit:]+] filter group_syncDPextest { host("DP[[:digit:]+]Syslog") or host("DPRASSyslogAudit[[:digit:]+]") or host("DP") ;}; But that begs the question because I am still not getting anything when I use "host(DP)." Its like even though the Local Identifier is in the hostname field it is not being matched against as the hostname. Does the hostname filter come from this field in the message or from the packet itself? If this field cannot be matched against, that is fine. I will just have to work a little more to get my filters right based on the actual log message content, but I told the IBM support people I would give it the old college try. It would be much easier for me to filter based on the Local ID but, oh well. Thanks again. adam
participants (2)
-
Geller, Sandor (IT)
-
Salowitz, Adam (AS.)