Hi, I m trying to log only specific type of program alerts in a mysql db at remote syslog-ng server. Till now i m able to get exactly the messages that i wanted but i m also getting some annoying messages in mysql db. I did researched the problem but was unable to find any satified answer. These messages are *host* *facility* *priority* *level* *tag* *date* *time* *program* *msg* * seq* abc kern warning warning 04 2005-06-16 08:58:35 On node 0 total On node 0 totalpages: 65088 3572 abc kern warning warning 04 2005-06-16 08:58:35 Processors Processors: 1 3573 abc kern warning warning 04 2005-06-16 08:58:35 ESR value after ESR value after enabling vector: 00000000 3574 abc kern info info 06 2005-06-16 08:59:29 parport0 parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE] 3575 abc kern info info 06 2005-06-16 08:59:29 parport0 parport0: irq 7 detected 3576 I m also attaching my syslog-ng.conf file any help would be greatly appreciated. options { long_hostnames(off); sync(0); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes); }; source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; source stunnel {tcp(ip("127.0.0.1 <http://127.0.0.1/>") port(514) keep-alive(yes));}; source netscreen {udp(ip("192.168.1.6 <http://192.168.1.6/>") port(514) );}; destination remoteclient {file("/var/log/HOSTS/$HOST/ $DAY.$MONTH.$YEAR.loggedmessages" create_dirs(yes));}; destination dest {file("/var/log/HOSTS/$HOST/$DAY.$MONTH.$YEAR.loggedmessages" create_dirs(yes));}; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; filter f_syslog {not match("STATS: dropped");}; filter f_auth { facility(auth) or program(".*ftp*.") or program(".*ssh*.") or program(".*pam*."); }; log {source(src); filter(f_syslog); filter(f_auth); destination(d_mysql);}; log {source(stunnel); filter(f_syslog); filter(f_auth); destination(d_mysql);}; log {source(netscreen); destination(d_mysql);}; log {source(src); filter(f_syslog); destination(dest);}; log {source(stunnel); filter(f_syslog); destination(remoteclient);}; log {source(netscreen); destination(remoteclient);};
the messages you have listed in the chart below are the annoying ones? these are kernel messages that you have asked to receive, simply stop receiving them or filter out each one of those entries below with a regex if you want to stop getting those five specific messages. I did not want the "STATS: dropped 0" message so I use this filter: filter f_syslog { not facility(auth, authpriv, kern) and not match("STATS: dropped 0"); }; You can put anything in the quotes including regular expressions, then just apply that filter to whichever log needs it. Metal Gear wrote:
Hi, I m trying to log only specific type of program alerts in a mysql db at remote syslog-ng server. Till now i m able to get exactly the messages that i wanted but i m also getting some annoying messages in mysql db. I did researched the problem but was unable to find any satified answer. These messages are
*host* *facility* *priority* *level* *tag* *date* *time* *program* *msg* *seq* abc kern warning warning 04 2005-06-16 08:58:35 On node 0 total On node 0 totalpages: 65088 3572 abc kern warning warning 04 2005-06-16 08:58:35 Processors Processors: 1 3573 abc kern warning warning 04 2005-06-16 08:58:35 ESR value after ESR value after enabling vector: 00000000 3574 abc kern info info 06 2005-06-16 08:59:29 parport0 parport0: PC-style at 0x378 (0x778) [PCSPP,TRISTATE] 3575 abc kern info info 06 2005-06-16 08:59:29 parport0 parport0: irq 7 detected 3576
I m also attaching my syslog-ng.conf file any help would be greatly appreciated.
options { long_hostnames(off); sync(0); keep_hostname(yes); chain_hostnames(no); use_time_recvd(yes); };
source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();};
source stunnel {tcp(ip("127.0.0.1 <http://127.0.0.1/>") port(514) keep-alive(yes));}; source netscreen {udp(ip("192.168.1.6 <http://192.168.1.6/>") port(514) );};
destination remoteclient {file("/var/log/HOSTS/$HOST/ $DAY.$MONTH.$YEAR.loggedmessages" create_dirs(yes));}; destination dest {file("/var/log/HOSTS/$HOST/$DAY.$MONTH.$YEAR.loggedmessages" create_dirs(yes));}; destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); };
filter f_syslog {not match("STATS: dropped");}; filter f_auth { facility(auth) or program(".*ftp*.") or program(".*ssh*.") or program(".*pam*."); };
log {source(src); filter(f_syslog); filter(f_auth); destination(d_mysql);}; log {source(stunnel); filter(f_syslog); filter(f_auth); destination(d_mysql);}; log {source(netscreen); destination(d_mysql);};
log {source(src); filter(f_syslog); destination(dest);}; log {source(stunnel); filter(f_syslog); destination(remoteclient);}; log {source(netscreen); destination(remoteclient);};
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hi thanks for the reply, On 6/16/05, Ken Garland <ken.garland@rotech.com> wrote:
the messages you have listed in the chart below are the annoying ones? these are kernel messages that you have asked to receive, simply stop receiving them or filter out each one of those entries below with a regex if you want to stop getting those five specific messages.
I only wanted to receive messages from 'auth' facility and the three program filters but then why i m getting messages from 'kern'. I m still bit confused about that. Yes i agree that i have to apply filters to stop that messages. Thanks again
As shown in my previous example, you can remove the facilities in your filter. For you this would be: filter f_auth { not facility(kern) facility(auth) or program(".*ftp*.") or program(".*ssh*.") or program(".*pam*."); }; Play with those until you get what you want. Metal Gear wrote:
Hi thanks for the reply,
On 6/16/05, *Ken Garland* <ken.garland@rotech.com <mailto:ken.garland@rotech.com>> wrote:
the messages you have listed in the chart below are the annoying ones? these are kernel messages that you have asked to receive, simply stop receiving them or filter out each one of those entries below with a regex if you want to stop getting those five specific messages.
I only wanted to receive messages from 'auth' facility and the three program filters but then why i m getting messages from 'kern'. I m still bit confused about that. Yes i agree that i have to apply filters to stop that messages.
Thanks again
participants (2)
-
Ken Garland
-
Metal Gear