[syslog-ng] [filter] unable to squelch annoying spam

Robin Blanchard rblanchard at nephilaadvisors.com
Sat Mar 28 01:18:38 CET 2015 

Hi List,

I've got some Solaris machines emitting some particularly annoying spam that I cannot seem to squelch. I've tried filtering on just about every MACRO that I can think might catch it, all to no avail.

Here's the snippet from running syslog-ng in debug/foreground:

# syslog-ng -Fdve 2>&1 |grep alloc_extra_sgl_frame
Incoming log entry; line='<4>Mar 27 19:00:55    alloc_extra_sgl_frame failed'


And here's the relevant filter bit (the other strings are doing their job).

filter solaris_alloc {
   not (
       match('alloc_extra_sgl_frame' value("MESSAGE")) or
       match('alloc_extra_sgl_frame' value("MSGHDR")) or
       match('alloc_extra_sgl_frame' value("FACILITY")) or
       match('alloc_extra_sgl_frame' value("PRIORITY")) or
       match('alloc_extra_sgl_frame' value("MSGID")) or
       match('ext-arq alloc fail.' value("MESSAGE")) or
       match('ext-arq alloc fail.' value("MSGHDR")) or
       match('/pci at 0,0/pci8086,3c06 at 2,2/pci1000,3080 at 0' value("MESSAGE")) or
       match('/pci at 0,0/pci8086,3c06 at 2,2/pci1000,3080 at 0' value("MSGHDR"))
   );
};



# syslog-ng --version
syslog-ng 3.5.6
Installer-Version: 3.5.6
Revision:
Compile-Date: Aug 13 2014 13:54:36
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Pcre: on


What else should I try?


--
Robin P. Blanchard
Nephila Advisors
Infrastructure Administrator
+1 615.823.8516 ext 4516


----------------------------------------------------------------------------------
The information in this e-mail, and any attachment therein, is confidential and for use by the addressee only. Any use, disclosure, reproduction, modification or distribution of the contents of this e-mail, or any part thereof, other than by the intended recipient, is strictly prohibited. If you are not the intended recipient, please return the e-mail to the sender and delete it from your computer. This email is for information purposes only, nothing contained herein constitutes an offer to sell or buy securities, as such an offer may only be made from a properly authorized offering document. Although Nephila attempts to sweep e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses.
-----------------------------------------------------------------------------------

More information about the syslog-ng mailing list