Currently on 3.2.4. I am using patterndb to classify my incoming logs and want to send those that match pattern rules do a particular destination. filter f_unknown { "${.classifier.class}" ne 'unknown' ; }; but this appears to always fail (if I change ne to eq then I get everything). I have also tried using match with the same result. Russell
Try this filter filter f_unknown { tags(".classifier.unknown"); }; Evan Rempel 250.271.7691 University Systems, University of Victoria Russell Fulton <r.fulton@auckland.ac.nz> wrote: Currently on 3.2.4. I am using patterndb to classify my incoming logs and want to send those that match pattern rules do a particular destination. filter f_unknown { "${.classifier.class}" ne 'unknown' ; }; but this appears to always fail (if I change ne to eq then I get everything). I have also tried using match with the same result. Russell ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On 11/05/2013, at 2:26 PM, Evan Rempel <erempel@uvic.ca> wrote:
Try this filter
filter f_unknown { tags(".classifier.unknown"); };
This always appears to return true. I.e. this filter includes everything. Negating it includes nothing. I have tried to install 3.2.5 as this is the last version that ELSA is confirmed to work with but that does not start: Starting syslog-ng /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libsyslog-ng.so.0: cannot open shared object file: No such file or directory So far as I can tell all the lib files are present and correct and in the same place as the previous version? I have syslog-ng installed in /usr/local/syslog-ng-<version> and a symlink /usr/local/syslog-ng pointing to the version to use. Russell
This definitely works. I'm using it right now. If it isn't working, then your pattern in the patterndb is not matching. We literally run millions of messages per hour through this exact filter ... I copied and pasted it from our pattern database. Evan Rempel 250.271.7691 University Systems, University of Victoria Russell Fulton <r.fulton@auckland.ac.nz> wrote: On 11/05/2013, at 2:26 PM, Evan Rempel <erempel@uvic.ca> wrote:
Try this filter
filter f_unknown { tags(".classifier.unknown"); };
This always appears to return true. I.e. this filter includes everything. Negating it includes nothing. I have tried to install 3.2.5 as this is the last version that ELSA is confirmed to work with but that does not start: Starting syslog-ng /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libsyslog-ng.so.0: cannot open shared object file: No such file or directory So far as I can tell all the lib files are present and correct and in the same place as the previous version? I have syslog-ng installed in /usr/local/syslog-ng-<version> and a symlink /usr/local/syslog-ng pointing to the version to use. Russell ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Evan Rempel
-
Russell Fulton