Re: syslog-ng Digest, Vol 24, Issue 33
I appreciate the help Bazsi, I receive around 600 of this messages daily, do you know when this messages are generated? I there any way to change that time to lets say one message/hour? TIA! On Sun, 2007-04-29 at 10:25 -0600, Fabian Pucciarelli wrote:
I have syslog ng writing to a mysql pipe and then a little script reading the pipe and writing to the db. I currently receive many messages like the following, I wonder if somenone can help me figure out what this message is saying..... thanks.
| mailux | syslog | notice | notice | 2d | 2007-04-13 | 01:16:40 | syslog-ng | syslog-ng[30548]: Log statistics; dropped='pipe(/tmp/mysql.pipe)=0', processed='center(queued)=40295', processed='center(received)=13206', processed='destination(d_mysql)=40295', processed='source(net_tcp)=0', processed='source(src)=8962', processed='source(net_udp)=4244' | 46674 |
This contains the various message counters that syslog-ng maintains internally. 'processed' counters just count how much messages were processed at the given point, 'dropped' counters indicate how much log messages were dropped by syslog-ng itself. The string in the parenthesis tell were the given counter is counting inside syslog-ng. 'center' is the main log message dispatching mechanism, it received 13206 messages from various sources and then sent 40295 messages out, e.g. you are probably sending individual messages to multiple destinations. You have two sources, one named 'src' generated 8962, the other called 'net_udp' 4244 messages. -- Bazsi On 4/30/07, syslog-ng-request@lists.balabit.hu < syslog-ng-request@lists.balabit.hu> wrote:
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: syslog-ng Digest, Vol 24, Issue 32 (Fabian Pucciarelli) 2. Re: turn off case sensitivity for match regex filter (Balazs Scheidler) 3. Re: Re: syslog-ng Digest, Vol 24, Issue 32 (Balazs Scheidler)
----------------------------------------------------------------------
Message: 1 Date: Sun, 29 Apr 2007 10:25:18 -0600 From: "Fabian Pucciarelli" <fabiangp@gmail.com> Subject: [syslog-ng] Re: syslog-ng Digest, Vol 24, Issue 32 To: syslog-ng@lists.balabit.hu Message-ID: <1e6757090704290925n541deb73t13eace5731aced3b@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
I have syslog ng writing to a mysql pipe and then a little script reading the pipe and writing to the db. I currently receive many messages like the following, I wonder if somenone can help me figure out what this message is saying..... thanks.
| mailux | syslog | notice | notice | 2d | 2007-04-13 | 01:16:40 | syslog-ng | syslog-ng[30548]: Log statistics; dropped='pipe(/tmp/mysql.pipe)=0', processed='center(queued)=40295', processed='center(received)=13206', processed='destination(d_mysql)=40295', processed='source(net_tcp)=0', processed='source(src)=8962', processed='source(net_udp)=4244' | 46674 |
On 4/29/07, syslog-ng-request@lists.balabit.hu < syslog-ng-request@lists.balabit.hu> wrote:
Send syslog-ng mailing list submissions to syslog-ng@lists.balabit.hu
To subscribe or unsubscribe via the World Wide Web, visit https://lists.balabit.hu/mailman/listinfo/syslog-ng or, via email, send a message with subject or body 'help' to syslog-ng-request@lists.balabit.hu
You can reach the person managing the list at syslog-ng-owner@lists.balabit.hu
When replying, please edit your Subject line so it is more specific than "Re: Contents of syslog-ng digest..."
Today's Topics:
1. Re: turn off case sensitivity for match regex filter (Balazs Scheidler) 2. Re: turn off case sensitivity for match regex filter (stucky)
----------------------------------------------------------------------
Message: 1 Date: Sat, 28 Apr 2007 12:42:06 +0200 From: Balazs Scheidler <bazsi@balabit.hu> Subject: Re: [syslog-ng] turn off case sensitivity for match regex filter To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Message-ID: <1177756926.14925.17.camel@bzorp.balabit> Content-Type: text/plain
On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
Guys
Playing around with ng 2 and I started looking at the match filter again. Simple question that I cannot find an answer to anywhere on the net. How do I turn off case sensitivity for the match target ? I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case sensitive. Basically I'm trying to emulate 'grep -i' I guess I could do this :
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be however, I'll try to add it in the nearfuture.
And while we're talking regex. Shouldn't the above line actually read like this :
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything" Both appear to work so I assume the first line is interpreted by syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care where the pattern is found. if you want to match the beginning or the end of line, you need to use explicit ^ and $ characters.
-- Bazsi
------------------------------
Message: 2 Date: Sat, 28 Apr 2007 12:44:04 -0700 From: stucky <stucky101@gmail.com> Subject: Re: [syslog-ng] turn off case sensitivity for match regex filter To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu> Message-ID: <30997e260704281244g6f1225bfwc7da2b4e05fdfd9f@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
Baszi
Cool. I'm in the middle of building a new infrastructure and would like
to
use this feature. I'm not a programmer but I assume adding this feature shouldn't be very hard at all right ? If you had a rough ETA that'd help me.
thx
On 4/28/07, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Sat, 2007-04-28 at 01:52 -0700, stucky wrote:
Guys
Playing around with ng 2 and I started looking at the match filter again. Simple question that I cannot find an answer to anywhere on the net. How do I turn off case sensitivity for the match target ? I'd like the following line to match "error' or 'ERROR' or 'Error'
filter logparse { match("error"); };
but of course it only matches 'error' since by default regex is case sensitive. Basically I'm trying to emulate 'grep -i' I guess I could do this :
filter logparse { match("[Ee][Rr][Rr][Oo][Rr]"); }; but it'd be soo much simpler to turn off case sensitivity.
Yes, you are right. But it's not currently possible. It should be however, I'll try to add it in the nearfuture.
And while we're talking regex. Shouldn't the above line actually
read
like this :
filter logparse { match(".+error.+"); }; ?
meaning "anything followed by 'error' followed by anything" Both appear to work so I assume the first line is interpreted by syslog-ng like the second line correct ?
syslog-ng interprets "match" the same as grep, e.g. it does not care where the pattern is found. if you want to match the beginning or the end of line, you need to use explicit ^ and $ characters.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- stucky
I appreciate the help Bazsi, I receive around 600 of this messages daily, do you know when this messages are generated? I there any way to change that time to lets say one message/hour? TIA!
Use stats_freq(3600). BTW I think this option is documented... Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
participants (2)
-
Fabian Pucciarelli
-
Geller, Sandor (IT)