[syslog-ng] Dropping specific messages from Syslog-NG
Bell, Christopher E.
cbel0003 at shands.ufl.edu
Fri Apr 5 12:39:44 UTC 2019
Disclaimer: I'm not an expert in either Linux or syslog-ng. I'm also not a programmer :).
That being said, I've built a syslog-ng --> Splunk deployment and I'm trying to drop unwanted log messages before they make their way to Splunk... so drop them at syslog-ng. There are going to be approx. 700 devices logging to this deployment (routers, switches, firewalls, IPAM, AAA, etc..) so I need to make sure whatever I do can scale easily and my teammates can help me manage it.
I'm trying to drop messages that are similar to the below:
Apr 5 06:02:17 x.x.x.x 2019 Apr 5 06:02:17 EDT: %USER-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP control mode packet. Drop count:4200 - ntpd
As well as:
Apr 5 08:03:49 x.x.x.x Apr 5 2019 12:03:48.895 UTC: %SNMP-3-RESPONSE_DELAYED: processing GetNext of entPhysicalEntry.2.1065 (5739 msecs)
Two different devices. I've tried literally dozens of methods, my latest is below and I can't figure out why we're still logging these messages:
filter f_trash { match(SNMP-3-RESPONSE_DELAYED value(MSGHDR)); and
match(NTP Receive dropping message value(MSG))};
log { source(s_sys); filter(f_trash); flags (final);};
Any help / constructive criticism would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190405/0e08d876/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 67 bytes
Desc: image001.png
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190405/0e08d876/attachment.png>
More information about the syslog-ng
mailing list