[syslog-ng] Dropping specific messages from Syslog-NG

Bell, Christopher E. cbel0003 at shands.ufl.edu
Fri Apr 5 15:18:29 UTC 2019


Thanks for the help on this, you're suggestions fixed both my issues.  The final, working, config for dropping specific messages looks like this:

filter f_trash { match('%SNMP-3-RESPONSE_DELAYED:' value(MSG)) or
                        match ('NTP Receive dropping message:' value(MSG)); };

# Drop off the trash
#
log {    source(s_sys);    filter(f_trash);    flags (final); };

Chris Bell
Network Engineer
352-273-9186 (w) 
ext 39186


-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Bell, Christopher E.
Sent: Friday, April 5, 2019 9:47 AM
To: 'wernli at in2p3.fr' <wernli at in2p3.fr>; Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Dropping specific messages from Syslog-NG

Thanks for the advice!  I will fix the incorrect Boolean usage and add some quotes to my match statement.  

Chris Bell
Network Engineer
352-273-9186 (w) 
ext 39186

-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of Fabien Wernli
Sent: Friday, April 5, 2019 8:59 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Dropping specific messages from Syslog-NG

CAUTION! This email came from outside UF or UF Health. Exercise extra caution clicking links and opening attachments from any and all senders.
________________________________



Hi,

It seems your setup incorrectly parses the "syslog" messages.
The latest syslog-ng versiosn have improved Cisco parsing code, so I suggest you try those first.

In any case, I can see two problems with your filter:

> filter f_trash { match(SNMP-3-RESPONSE_DELAYED value(MSGHDR)); and
>
> match(NTP Receive dropping message value(MSG))};

1. it matches only messages with both "SNMP" and "NTP" strings, which is not what you seem to want.

2. "SNMP" seems to be in the MSG macro instead, although I can't be sure

3. use quotes in the match() argument

Cheers

______________________________________________________________________________
Member info: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.balabit.hu%2fmailman%2flistinfo%2fsyslog%2dng&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-668cd55c1c0efe97a6b3bf6b93b9cde008eeec8f
Documentation: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fsupport%2fdocumentation%2f%3fproduct%3dsyslog%2dng&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-6f420cb59d9d4d6e9a00458f72bed51b0e4955f8
FAQ: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fwiki%2fsyslog%2dng%2dfaq&umid=CBD5BD1D-85C8-0B05-9935-06C0C44CDDAB&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-60d9687726ac563a31782a9c903f542c8ffb86a3

______________________________________________________________________________
Member info: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.balabit.hu%2fmailman%2flistinfo%2fsyslog%2dng&umid=0190696D-85C8-B805-BBF3-4DF550EB71F0&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-8fb3f8390e6b79b583b85cd578484f72919fdba7
Documentation: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fsupport%2fdocumentation%2f%3fproduct%3dsyslog%2dng&umid=0190696D-85C8-B805-BBF3-4DF550EB71F0&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-f242edb8a09c4131b522f9614e210daf4da1452d
FAQ: https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.balabit.com%2fwiki%2fsyslog%2dng%2dfaq&umid=0190696D-85C8-B805-BBF3-4DF550EB71F0&auth=5ab06289d9c3b14f9a77f69d29e7a25870e86301-152e280790d2f6070d7f7f0fb5ea1a61152de558



More information about the syslog-ng mailing list