Hi! I'm trying to filter some logs that have no program field. kind of "logger -t '' " logs. I've try to use program(""); or program(NULL); as filter but none of them works. How can I filter this empty program field logs ? Thanks! Gaël.
On Thu, Aug 28, 2008 at 8:17 AM, G R <ng.syslogng@gmail.com> wrote:
Hi!
I'm trying to filter some logs that have no program field. kind of "logger -t '' " logs.
I've try to use program(""); or program(NULL); as filter but none of them works.
How can I filter this empty program field logs ?
I would look for some other attributes of the messages. If you can't add the program field, and nothing else about the messages are unique, you might be in trouble. As a last resort I've made particular hosts or types of devices (UNIX vs. network devices) send to different ports or IPs on the syslog box, then my source has an entirely different subset of messages. Perhaps that is an option.
I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible). So there is no way to filtre an empty program attribute? thanks. 2008/8/28 concatenate <infosec@gmail.com>
On Thu, Aug 28, 2008 at 8:17 AM, G R <ng.syslogng@gmail.com> wrote:
Hi!
I'm trying to filter some logs that have no program field. kind of "logger -t '' " logs.
I've try to use program(""); or program(NULL); as filter but none of them works.
How can I filter this empty program field logs ?
I would look for some other attributes of the messages. If you can't add the program field, and nothing else about the messages are unique, you might be in trouble.
As a last resort I've made particular hosts or types of devices (UNIX vs. network devices) send to different ports or IPs on the syslog box, then my source has an entirely different subset of messages. Perhaps that is an option.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi,
I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible).
So there is no way to filtre an empty program attribute?
I don't think so. When syslog-ng parses the log it has to guess what format is applied to the log line, so it will fill in the program field with the first string which is right after the priority date hostname triplet. So I think at least one word of your log will end up in the program field, and it isn't available for match() later... You could workaround this by combining the program() and the match() into a single filter, or use an external program to do the filtering. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
I've look at the program field and it's empty. It seems that syslog-ng try to find the attribute program before ":" and my logs starts with this ":". Printing the progam attribute in my log show me that this attribute is really empty. So I'd like to make a filter using a matcher for the ":" of the message and another matcher on the empty program attribute. 2008/8/29 Geller, Sandor (IT) <Sandor.Geller@morganstanley.com>
Hi,
I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible).
So there is no way to filtre an empty program attribute?
I don't think so. When syslog-ng parses the log it has to guess what format is applied to the log line, so it will fill in the program field with the first string which is right after the priority date hostname triplet. So I think at least one word of your log will end up in the program field, and it isn't available for match() later... You could workaround this by combining the program() and the match() into a single filter, or use an external program to do the filtering.
Regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I've think I've found a solution. If the attribute program is empty, then the attributes $MSG and $MSGONLY should be equals. The filter function match() try to match the $MSG or $MSGONLY ? Trying this doesn't work, but I think this can be the beginning of the solution : match($MSGONLY) or, match($MSG) depending on wich $MSG or $MSGONLY the filter function applies. 2008/8/29 G R <ng.syslogng@gmail.com>
I've look at the program field and it's empty. It seems that syslog-ng try to find the attribute program before ":" and my logs starts with this ":". Printing the progam attribute in my log show me that this attribute is really empty. So I'd like to make a filter using a matcher for the ":" of the message and another matcher on the empty program attribute.
2008/8/29 Geller, Sandor (IT) <Sandor.Geller@morganstanley.com>
Hi,
I got something in the message that can help, but I'd like to use it with the empty program attribute (being as specific as possible).
So there is no way to filtre an empty program attribute?
I don't think so. When syslog-ng parses the log it has to guess what format is applied to the log line, so it will fill in the program field with the first string which is right after the priority date hostname triplet. So I think at least one word of your log will end up in the program field, and it isn't available for match() later... You could workaround this by combining the program() and the match() into a single filter, or use an external program to do the filtering.
Regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Fri, 2008-08-29 at 10:00 +0200, G R wrote:
I've think I've found a solution. If the attribute program is empty, then the attributes $MSG and $MSGONLY should be equals. The filter function match() try to match the $MSG or $MSGONLY ?
Trying this doesn't work, but I think this can be the beginning of the solution :
match($MSGONLY) or, match($MSG) depending on wich $MSG or $MSGONLY the filter function applies.
Isn't this what you are looking for? program("^$") -- Bazsi
This is exactly what I was looking for. Thanks Balazs! 2008/8/29 Balazs Scheidler <bazsi@balabit.hu>
On Fri, 2008-08-29 at 10:00 +0200, G R wrote:
I've think I've found a solution. If the attribute program is empty, then the attributes $MSG and $MSGONLY should be equals. The filter function match() try to match the $MSG or $MSGONLY ?
Trying this doesn't work, but I think this can be the beginning of the solution :
match($MSGONLY) or, match($MSG) depending on wich $MSG or $MSGONLY the filter function applies.
Isn't this what you are looking for?
program("^$")
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Balazs Scheidler
-
concatenate
-
G R
-
Geller, Sandor (IT)