Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Drop messages
rsyslog at lists
Feb 12, 2020, 3:41 AM
Post #1 of 5 (635 views)
Permalink
Hi All,

i am trying to drop sys log messages that contain certain words

The message coming looks like so

Feb 12 00:59:18 bd-c67b-85b3-1fa2-d50e69 mtlvdi52 VSANMGMTSVC: 641e7'},
{'uuid': '521c8928-2bbe-4258-eb7e-bb0c864ff357', 'isAllFlash': 0, 'owner':
'5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
'healthFlags': 0, 'timestamp': 87985781610}, 'capacityReserved':
1400897536, 'capacityUsed': 400165961728, 'isSsd': 0, 'capacity':
1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'}, {'uuid':
'528da7de-32d3-f6a9-316e-5727f63a2eb1', 'isAllFlash': 0, 'owner':
'5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
'healthFlags': 0, 'timestamp': 85923806398}, 'capacityReserved':
1417674752, 'capacityUsed': 383028035584, 'isSsd': 0, 'capacity':
1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'}, {'uuid':
'52e3c33e-8a38-6ece-64db-3fd27f1eabab', 'isAllFlash': 0, 'owner':
'5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
'healthFlags': 0, 'timestam

And my rule looks like

template (name="drop" type="string" string="/dev/null")
if $msg contains ['VSAN',
'VSANMGMTSVC']
then {
action(type="omfile" DynaFile="drop")
stop
}

But they are not being dropped, am i doing something wrong?

Thanks



--
Adam Barnett
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Drop messages [ In reply to ]
rsyslog at lists
Feb 12, 2020, 4:15 AM
Post #2 of 5 (635 views)
Permalink
you do not need to process the message - just use this:

if $msg contains ['VSAN',
'VSANMGMTSVC']
then {
stop
}

If that doesn't work, $msg does not contain what you think. Try
$rawmsg (everything as received from wire) in this case.

Rainer

El mié., 12 feb. 2020 a las 12:41, Adam Barnett via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi All,
>
> i am trying to drop sys log messages that contain certain words
>
> The message coming looks like so
>
> Feb 12 00:59:18 bd-c67b-85b3-1fa2-d50e69 mtlvdi52 VSANMGMTSVC: 641e7'},
> {'uuid': '521c8928-2bbe-4258-eb7e-bb0c864ff357', 'isAllFlash': 0, 'owner':
> '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
> 'healthFlags': 0, 'timestamp': 87985781610}, 'capacityReserved':
> 1400897536, 'capacityUsed': 400165961728, 'isSsd': 0, 'capacity':
> 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'}, {'uuid':
> '528da7de-32d3-f6a9-316e-5727f63a2eb1', 'isAllFlash': 0, 'owner':
> '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
> 'healthFlags': 0, 'timestamp': 85923806398}, 'capacityReserved':
> 1417674752, 'capacityUsed': 383028035584, 'isSsd': 0, 'capacity':
> 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'}, {'uuid':
> '52e3c33e-8a38-6ece-64db-3fd27f1eabab', 'isAllFlash': 0, 'owner':
> '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason': 0,
> 'healthFlags': 0, 'timestam
>
> And my rule looks like
>
> template (name="drop" type="string" string="/dev/null")
> if $msg contains ['VSAN',
> 'VSANMGMTSVC']
> then {
> action(type="omfile" DynaFile="drop")
> stop
> }
>
> But they are not being dropped, am i doing something wrong?
>
> Thanks
>
>
>
> --
> Adam Barnett
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Drop messages [ In reply to ]
rsyslog at lists
Feb 12, 2020, 9:29 AM
Post #3 of 5 (635 views)
Permalink
Thanks, worked like a charm with $rawmsg

On Wed, Feb 12, 2020 at 12:16 PM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> you do not need to process the message - just use this:
>
> if $msg contains ['VSAN',
> 'VSANMGMTSVC']
> then {
> stop
> }
>
> If that doesn't work, $msg does not contain what you think. Try
> $rawmsg (everything as received from wire) in this case.
>
> Rainer
>
> El mié., 12 feb. 2020 a las 12:41, Adam Barnett via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi All,
> >
> > i am trying to drop sys log messages that contain certain words
> >
> > The message coming looks like so
> >
> > Feb 12 00:59:18 bd-c67b-85b3-1fa2-d50e69 mtlvdi52 VSANMGMTSVC: 641e7'},
> > {'uuid': '521c8928-2bbe-4258-eb7e-bb0c864ff357', 'isAllFlash': 0,
> 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestamp': 87985781610}, 'capacityReserved':
> > 1400897536, 'capacityUsed': 400165961728, 'isSsd': 0, 'capacity':
> > 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'},
> {'uuid':
> > '528da7de-32d3-f6a9-316e-5727f63a2eb1', 'isAllFlash': 0, 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestamp': 85923806398}, 'capacityReserved':
> > 1417674752, 'capacityUsed': 383028035584, 'isSsd': 0, 'capacity':
> > 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'},
> {'uuid':
> > '52e3c33e-8a38-6ece-64db-3fd27f1eabab', 'isAllFlash': 0, 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestam
> >
> > And my rule looks like
> >
> > template (name="drop" type="string" string="/dev/null")
> > if $msg contains ['VSAN',
> > 'VSANMGMTSVC']
> > then {
> > action(type="omfile" DynaFile="drop")
> > stop
> > }
> >
> > But they are not being dropped, am i doing something wrong?
> >
> > Thanks
> >
> >
> >
> > --
> > Adam Barnett
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Adam Barnett
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Drop messages [ In reply to ]
rsyslog at lists
Feb 12, 2020, 9:36 AM
Post #4 of 5 (635 views)
Permalink
when you have an issue like this, log the message to a file with the template
RSYSLOG_DebugFormat so you can see exactly what is in each variable. That would
show you why you aren't matching $msg

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Drop messages [ In reply to ]
rsyslog at lists
Feb 12, 2020, 9:39 AM
Post #5 of 5 (635 views)
Permalink
oh, thanks for the tip

On Wed, Feb 12, 2020 at 5:36 PM David Lang <david@lang.hm> wrote:

> when you have an issue like this, log the message to a file with the
> template
> RSYSLOG_DebugFormat so you can see exactly what is in each variable. That
> would
> show you why you aren't matching $msg
>
> David Lang
>


--
Adam Barnett
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal