I want syslog-ng to discard a message that matches a particular string. There doesn't seem to be an easy way to do that, so I came up with this scheme instead: [...] filter unwanted { program("noisy-daemon") and match("unwanted alarm"); }; [...] destination discard { file("/dev/null" perm(0666) dir_perm(0755) create_dirs(no)); }; [...] log { source(remote); filter(unwanted); destination(discard); flags(final); }; In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message? My environment is NetBSD 1.5 and NetBSD 2.0. Thanks, -- Ed
On Wed, Nov 10, 2004 at 12:14:44PM -0500, Ed Ravin wrote:
In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message?
I don't know that I've ever had much luck with final either, I just don't log what I don't want: ############################################################### filter f_mail { facility(mail); }; filter f_not_brightmail { not program("bmifilter.*"); }; log { source(src); filter(f_mail); filter(f_not_brightmail); destination(syslog); }; log { source(src); filter(f_not_mail); filter(f_not_brightmail); destination(messages); }; ############################################################### As it stands I have to put "filter(f_not_brightmail);" in all my log statements, but that's not a problem for me (I build the config once and just push it out everywhere, so once a config works I never have to look at it again). -- Nate "Where a calculator on the ENIAC is equipped with 18 000 vacuum tubes and weighs 30 tons, computers of the future may have only 1 000 vacuum tubes and perhaps weigh 1� tons." - Popular Mechanics, March 1949.
On Wed, Nov 10, 2004 at 11:43:49AM -0800, Nate Campi wrote:
On Wed, Nov 10, 2004 at 12:14:44PM -0500, Ed Ravin wrote:
In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message?
I don't know that I've ever had much luck with final either, I just don't log what I don't want:
Harumph, I thought I had flags(final) working once I fixed my problem with the fitler, but when I went to my production box, I began losing log messages all over the place. Baszi, are you sure that flags(final) works? I'd rather not do the kludgy filtering in Nate's example below.
############################################################### filter f_mail { facility(mail); };
filter f_not_brightmail { not program("bmifilter.*"); };
log { source(src); filter(f_mail); filter(f_not_brightmail); destination(syslog); }; log { source(src); filter(f_not_mail); filter(f_not_brightmail); destination(messages); }; ###############################################################
As it stands I have to put "filter(f_not_brightmail);" in all my log statements, but that's not a problem for me (I build the config once and just push it out everywhere, so once a config works I never have to look at it again). -- Nate
"Where a calculator on the ENIAC is equipped with 18 000 vacuum tubes and weighs 30 tons, computers of the future may have only 1 000 vacuum tubes and perhaps weigh 1½ tons." - Popular Mechanics, March 1949.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Ed Ravin | "The law, in its majestic equality, forbids the rich as | well as the poor to sleep under bridges, to beg in the eravin@ | streets, and to steal bread." panix.com | --Anatole France, Le Lys Rouge [1894]
On Sat, 2004-11-13 at 02:59, Ed Ravin wrote:
On Wed, Nov 10, 2004 at 11:43:49AM -0800, Nate Campi wrote:
On Wed, Nov 10, 2004 at 12:14:44PM -0500, Ed Ravin wrote:
In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message?
I don't know that I've ever had much luck with final either, I just don't log what I don't want:
Harumph, I thought I had flags(final) working once I fixed my problem with the fitler, but when I went to my production box, I began losing log messages all over the place. Baszi, are you sure that flags(final) works? I'd rather not do the kludgy filtering in Nate's example below.
I tried it right before I sent my previous e-mail just to be sure it works. The code snippet is very simple in fact, just look at the function do_distribute_log() function in center.c; Once a message is matched and the FINAL flag is set it breaks out the distribute loop. But only iff all filters matched and the message was sent to the appropriate destinations The only way to malfunction is if the parser incorrectly parses the flags option... checked that too, it seems to be ok; and my testing did not reveal any problems. Is the order of your log statements correct? -- Bazsi
On Wed, 2004-11-10 at 18:14, Ed Ravin wrote:
I want syslog-ng to discard a message that matches a particular string. There doesn't seem to be an easy way to do that, so I came up with this scheme instead:
[...] filter unwanted { program("noisy-daemon") and match("unwanted alarm"); };
[...] destination discard { file("/dev/null" perm(0666) dir_perm(0755) create_dirs(no)); };
[...] log { source(remote); filter(unwanted); destination(discard); flags(final); };
In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message?
My environment is NetBSD 1.5 and NetBSD 2.0.
No, it should work exactly as you described it, however log statements are processed in order, thus if you only want to send it to one destination then your final statement must come first. I've just tested it myself on my box, and it works as intended. -- Bazsi
On Thu, Nov 11, 2004 at 09:42:50AM +0100, Balazs Scheidler wrote:
On Wed, 2004-11-10 at 18:14, Ed Ravin wrote:
I want syslog-ng to discard a message that matches a particular string. There doesn't seem to be an easy way to do that, so I came up with this scheme instead:
[...] filter unwanted { program("noisy-daemon") and match("unwanted alarm"); };
[...] destination discard { file("/dev/null" perm(0666) dir_perm(0755) create_dirs(no)); };
[...] log { source(remote); filter(unwanted); destination(discard); flags(final); };
In spite of the "flags(final)" in the log path, the unanted message still shows up in my other log paths. Have I misunderstood how to use "final"? Is there some other way to discard a message?
My environment is NetBSD 1.5 and NetBSD 2.0.
No, it should work exactly as you described it, however log statements are processed in order, thus if you only want to send it to one destination then your final statement must come first.
That's pretty much what I did - I have several log {} statements, and the first one was as shown above with destination /dev/null and "flags(final)". I'll double-check everything and try again. -- Ed
On Wed, 2004-11-10 at 18:14, Ed Ravin wrote:
I want syslog-ng to discard a message that matches a particular string. There doesn't seem to be an easy way to do that, so I came up with this scheme instead:
[...] filter unwanted { program("noisy-daemon") and match("unwanted alarm"); };
[...] destination discard { file("/dev/null" perm(0666) dir_perm(0755) create_dirs(no)); };
[...] log { source(remote); filter(unwanted); destination(discard); flags(final); };
And it does indeed work, as documented. My problem, which might have been solved sooner had I included the actual config file I was working on rather than paraphrasing it above, was that I was trying to match on a program name with a "/" character in it: filter unwanted { program("postfix-mailhost/trivial-rewrite") and match("unwanted message in text"); }; But syslog-ng didn't match anything with this filter. When I trimmed it down to: filter unwanted { program("postfix-mailhost") and match("unwanted message in text"); }; Then it began matching my unwanted messages. If I tried this in the filter: program("postfix-mailhost/") Then it stopped matching. So it looks like syslog-ng, when it parses the program name, stops parsing when it sees the "/" ? Is this a bug or a feature :-) ? -- Ed
On Sat, 2004-11-13 at 02:11, Ed Ravin wrote:
On Wed, 2004-11-10 at 18:14, Ed Ravin wrote:
filter unwanted { program("postfix-mailhost/trivial-rewrite") and match("unwanted message in text"); };
But syslog-ng didn't match anything with this filter. When I trimmed it down to:
filter unwanted { program("postfix-mailhost") and match("unwanted message in text"); };
Then it began matching my unwanted messages. If I tried this in the filter:
program("postfix-mailhost/")
Then it stopped matching. So it looks like syslog-ng, when it parses the program name, stops parsing when it sees the "/" ? Is this a bug or a feature :-) ?
I've tried to reproduce it, but it seems to work for me. My config file was: source src { udp(port(2000)); internal(); }; filter f_exp { program("abc/def"); }; destination d_spoof { file("logfile" template("--$MSG--\n")); }; log { source(src); filter(f_exp); destination(d_spoof); }; I sent the following lines: $ nc -u localhost 2000 <5>Nov 15 09:55:19 bzorp abc/def[2345]: hehehehe <5>Nov 15 09:55:19 bzorp abc/def[2345]: hehehehe <5>Nov 15 09:55:19 bzorp abc/def[2345]: hehehehe <5>Nov 15 09:55:19 bzorp abc/def[2345]: hehehehe <5>Nov 15 09:55:19 bzorp abc/def[2345]: hehehehe And I got: $ cat logfile --abc/def[2345]: hehehehe-- --abc/def[2345]: hehehehe-- --abc/def[2345]: hehehehe-- --abc/def[2345]: hehehehe-- --abc/def[2345]: hehehehe-- Can you tell me what $PROGRAM expands to in this scenario? (by including it in your destination template for example) -- Bazsi
participants (3)
-
Balazs Scheidler
-
Ed Ravin
-
Nate Campi