[syslog-ng] program filters

Ken Garland ken.garland at rotech.com
Thu Jun 16 15:05:54 CEST 2005 

the messages you have listed in the chart below are the annoying ones?
these are kernel messages that you have asked to receive, simply stop
receiving them or filter out each one of those entries below with a
regex if you want to stop getting those five specific messages.

I did not want the "STATS: dropped 0" message so I use this filter:

filter f_syslog { not facility(auth, authpriv, kern) and
                  not match("STATS: dropped 0"); };

You can put anything in the quotes including regular expressions, then
just apply that filter to whichever log needs it.

Metal Gear wrote:

> Hi,
> I m trying to log only specific type of program alerts in a mysql db
> at remote syslog-ng server. Till now i m able to get exactly the
> messages that i wanted but i m also getting some annoying messages in
> mysql db. I did researched the problem but was unable to find any
> satified answer. These messages are
>
> 	*host* 	*facility* 	*priority* 	*level* 	*tag* 	*date* 	*time*
> *program* 	*msg* 	*seq*
> 	abc 	kern 	warning 	warning 	04 	2005-06-16 	08:58:35 	On node 0
> total 	On node 0 totalpages: 65088 	3572
> 	abc 	kern 	warning 	warning 	04 	2005-06-16 	08:58:35 	Processors
> Processors: 1 	3573
> 	abc 	kern 	warning 	warning 	04 	2005-06-16 	08:58:35 	ESR value
> after 	ESR value after enabling vector: 00000000 	3574
> 	abc 	kern 	info 	info 	06 	2005-06-16 	08:59:29 	parport0 	parport0:
> PC-style at 0x378 (0x778) [PCSPP,TRISTATE] 	3575
> 	abc 	kern 	info 	info 	06 	2005-06-16 	08:59:29 	parport0 	parport0:
> irq 7 detected 	3576
>
>
> I m also attaching my syslog-ng.conf file any help would be greatly
> appreciated.
>
> options {  long_hostnames(off);
> sync(0);
> keep_hostname(yes);
> chain_hostnames(no);
> use_time_recvd(yes);
> };
>
> source src {unix-stream("/dev/log");
> pipe("/proc/kmsg");
> internal();};
>
> source stunnel {tcp(ip("127.0.0.1 <http://127.0.0.1/>") port(514)
> keep-alive(yes));};
> source netscreen {udp(ip("192.168.1.6 <http://192.168.1.6/>")
> port(514) );};
>
> destination remoteclient {file("/var/log/HOSTS/$HOST/
> $DAY.$MONTH.$YEAR.loggedmessages" create_dirs(yes));};
> destination dest
> {file("/var/log/HOSTS/$HOST/$DAY.$MONTH.$YEAR.loggedmessages"
> create_dirs(yes));};
> destination d_mysql {
> pipe("/tmp/mysql.pipe"
> template("INSERT INTO logs (host, facility, priority, level, tag, date,
> time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL',
> '$TAG',
> '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
> template-escape(yes));
> };
>
> filter f_syslog {not match("STATS: dropped");};
> filter f_auth { facility(auth) or program(".*ftp*.") or
> program(".*ssh*.") or program(".*pam*."); };
>
> log {source(src); filter(f_syslog); filter(f_auth);
> destination(d_mysql);};
> log {source(stunnel); filter(f_syslog); filter(f_auth);
> destination(d_mysql);};
> log {source(netscreen); destination(d_mysql);};
>
> log {source(src); filter(f_syslog); destination(dest);};
> log {source(stunnel); filter(f_syslog); destination(remoteclient);};
> log {source(netscreen); destination(remoteclient);};
>
>------------------------------------------------------------------------
>
>_______________________________________________
>syslog-ng maillist  -  syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>  
>

More information about the syslog-ng mailing list