exclude pattern from logging
Hello guys, I'm trying to config syslog-ng to ignore and don't log some strings. I'm using syslog-ng-3.2.5-4.el6.x86_64 on a CentOS 6.5: the config is pretty simple: # cat /etc/syslog-ng/syslog-ng.conf @version:3.2 options { check_hostname(yes); keep_hostname(yes); stats_freq(0); chain_hostnames(no); }; source inputs { internal(); unix-stream("/dev/log"); udp(); tcp(max_connections(100)); }; destination logpile { file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) create_dirs(yes) dir_perm(0700)); }; #filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); }; #filter vmware_filter { message("Section for VMware ESX"); }; filter vmware_filter { not message("Section for VMware ESX"); }; #log { source(inputs); filter(vmware_filter); flags(final); }; #log { source(inputs); destination(logpile); }; log { source(inputs); filter(vmware_filter); destination(logpile); }; but I cannot find the right key. Wha'ts wrong in this config? You can see old configuration applied. Thanks for any tip. -f
You need both logpath. One is filtering out and other collecting remaining. Also the order of log statement is important This is how I filtered out some annoying qemu bug :)) filter f_qemu_bug {match("kernel" value("PROGRAM")); and match("unable to execute QEMU command \'qom-get\'" value("MESSAGE")); }; filter f_variety_bug {match("kernel" value("PROGRAM")); and match("Failed to set the background" value("MESSAGE")); }; #get rid of qemu bug log { source(s_local); filter(f_qemu_bug); flags(final); }; #get rid of variety bug log { source(s_local); filter(f_variety_bug); flags(final); }; #separate firewall log log { source(s_local); filter(f_iptables); destination(d_firewall); flags(final); }; #remaining log { source(s_local); destination(d_messages); }; Vlad On 24 September 2014 12:48, fRANz <andrea.francesconi@gmail.com> wrote:
Hello guys, I'm trying to config syslog-ng to ignore and don't log some strings. I'm using syslog-ng-3.2.5-4.el6.x86_64 on a CentOS 6.5: the config is pretty simple:
# cat /etc/syslog-ng/syslog-ng.conf @version:3.2
options { check_hostname(yes); keep_hostname(yes); stats_freq(0); chain_hostnames(no); };
source inputs { internal(); unix-stream("/dev/log"); udp(); tcp(max_connections(100)); };
destination logpile { file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) create_dirs(yes) dir_perm(0700)); };
#filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); }; #filter vmware_filter { message("Section for VMware ESX"); }; filter vmware_filter { not message("Section for VMware ESX"); };
#log { source(inputs); filter(vmware_filter); flags(final); }; #log { source(inputs); destination(logpile); }; log { source(inputs); filter(vmware_filter); destination(logpile); };
but I cannot find the right key. Wha'ts wrong in this config? You can see old configuration applied. Thanks for any tip. -f
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Thu, Sep 25, 2014 at 11:31 AM, Pál, László <vlad@vlad.hu> wrote:
You need both logpath. One is filtering out and other collecting remaining. Also the order of log statement is important
Vlad, thank you for your reply. I followed your tips but syslog-ng still logging... What I miss in the config? The actual is: # cat /etc/syslog-ng/syslog-ng.conf @version:3.2 options { check_hostname(yes); keep_hostname(yes); stats_freq(0); chain_hostnames(no); }; source inputs { internal(); unix-stream("/dev/log"); udp(); tcp(max_connections(100)); }; destination logpile { file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) create_dirs(yes) dir_perm(0700)); }; filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); }; log { source(inputs); filter(vmware_filter); flags(final); }; log { source(inputs); destination(logpile); }; Thanks, -f
Hi, are you sure your pattern matches? L: On 26 September 2014 08:38, fRANz <andrea.francesconi@gmail.com> wrote:
On Thu, Sep 25, 2014 at 11:31 AM, Pál, László <vlad@vlad.hu> wrote:
You need both logpath. One is filtering out and other collecting remaining. Also the order of log statement is important
Vlad, thank you for your reply. I followed your tips but syslog-ng still logging... What I miss in the config? The actual is:
# cat /etc/syslog-ng/syslog-ng.conf @version:3.2
options { check_hostname(yes); keep_hostname(yes); stats_freq(0); chain_hostnames(no); };
source inputs { internal(); unix-stream("/dev/log"); udp(); tcp(max_connections(100)); };
destination logpile { file("/logs/$HOST/$YEAR/$MONTH/$DAY/$FACILITY" owner(root) group(root) perm(0600) create_dirs(yes) dir_perm(0700)); };
filter vmware_filter { match("Section for VMware ESX" value ("MESSAGE")); };
log { source(inputs); filter(vmware_filter); flags(final); }; log { source(inputs); destination(logpile); };
Thanks, -f
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, Sep 30, 2014 at 10:04 AM, Pál, László <vlad@vlad.hu> wrote:
Hi, are you sure your pattern matches?
Vlad, it's my fault: pattern was not ok. Now I corrected it and filter works perfectly. Thank you again, sorry for the noise. -f
participants (2)
-
fRANz
-
Pál, László