Hello, This is on a Debian system with syslog-ng 1.6.5-2.2. Is there any way to filter on the log timestamp? For example, suppose I have a (machine|program) that reboots once a day at 0400, and I don't want to log those events. I'd like to be able to set up a filter something like this ... filter match_dailyreboot { not (match("04:0[0-1]:[0-9][0-9]") and program("foo") and (match("Starting a brand new workday") or match("*many annoying daily restart message*") ) ); }; But as I understand the rules, match() only matches on the message. Is there any way in the 1.6.* series to filter on time and other bits? -dean takemori
On Fri, 2006-02-24 at 20:06 -1000, Dean Takemori wrote:
Hello,
This is on a Debian system with syslog-ng 1.6.5-2.2.
Is there any way to filter on the log timestamp? For example, suppose I have a (machine|program) that reboots once a day at 0400, and I don't want to log those events. I'd like to be able to set up a filter something like this ...
filter match_dailyreboot { not (match("04:0[0-1]:[0-9][0-9]") and program("foo") and (match("Starting a brand new workday") or match("*many annoying daily restart message*") ) );
};
This is not possible currently, but are you sure you want to completely drop these messages? Wouldn't you prefer to store those and run an analyzing script like logcheck later which skips those? -- Bazsi
On Fri, 24 Feb 2006 20:06:38 -1000, Dean Takemori said:
Is there any way to filter on the log timestamp? For example, suppose I have a (machine|program) that reboots once a day at 0400, and I don't want to log those events. I'd like to be able to set up a filter something like this ...
As a practical matter, you're probably better off logging it *anyhow*, and then using a tool such as 'logwatch' or similar to filter. In general, you want to *retain* a lot of info in the actual syslog files, in case you need to go digging, but present only exceptios in routine summaries. In other words - if you *did* put in filtering like this, and then had to use your logs to show whether there *was* a reboot at 4AM as scheduled, or if it failed to happen for some reason, how would you go about it?
participants (3)
-
Balazs Scheidler
-
Dean Takemori
-
Valdis.Kletnieks@vt.edu