[syslog-ng] using correlation to filter out some messages ?
Sandor Geller
Sandor.Geller at morganstanley.com
Wed Jan 26 13:02:53 CET 2011
Hi,
How is the d_drop destination configured? As far as I know you can't
use flags(final) in embedded log statements so the tagged messages
would still reach d_ldap. You can simply change the filter to match on
messages not having the 'dropthis' tag and use it in the embedded log
section.
Regards,
Sandor
On Wed, Jan 26, 2011 at 11:21 AM, Guillaume Rousse
<guillomovitch at gmail.com> wrote:
> Le 24/01/2011 17:35, Balazs Scheidler a écrit :
>> you should enclose the macro reference in quotes like this:
>>
>> condition="'${MESSAGE}@1' == ''"
>> ^ ^
>>
>> in a filter expression, all strings are assumed to be templates, and
>> then you can use operators like you did. but macro references also need
>> to be enclosed in quotes (either apostrophes or double quotes will
>> work), this time it was easier to use apostrophes because the XML
>> attribute used quotes.
> OK, this time syslog-ng doesn't choke, but the re-emited message is
> leaking to stdout (actually, to the console used to launch it, I just
> presume it's syslog-ng stdout), which is quite painful:
>
> [root at avron1 ~]# service syslog-ng start
> Lancement de syslog-ng : [ OK ]
> [root at avron1 ~]# 2011 Jan 26 11:16:21 avron1 conn=1569812 fd=39 closed
> (connection lost)
> 2011 Jan 26 11:16:21 avron1 conn=1569813 fd=60 closed (connection lost)
> 2011 Jan 26 11:16:23 avron1 conn=1569814 fd=39 closed (connection lost)
> 2011 Jan 26 11:16:23 avron1 conn=1569815 fd=60 closed (connection lost)
>
> Morevoer, it also suggested the condition used doesn't work, as those
> messages shouldn't have been re-emited at all.
>
> I'm attaching patterndb and syslog-ng configuration related fragments.
> --
> BOFH excuse #211:
>
> Lightning strikes.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
More information about the syslog-ng
mailing list