Hello Nagios Support
Is there a way to filter logs at the source, based on the message body?
- so that only the certain content of the log gets shipped?
Thank you,
Dimitri
Is there a way to filter logs at the source (content)
Re: Is there a way to filter logs at the source (content)
Are you asking how to limit the content of the logs that get sent to Log Server?
If so, it depends on what you're using to send them, if you're using rsyslog you could setup a filter:
https://www.rsyslog.com/doc/v8-stable/c ... lters.html
For syslog-ng, there is also a filter:
https://www.syslog-ng.com/technical-doc ... ide/filter
What are you using to fire off the logs?
If so, it depends on what you're using to send them, if you're using rsyslog you could setup a filter:
https://www.rsyslog.com/doc/v8-stable/c ... lters.html
For syslog-ng, there is also a filter:
https://www.syslog-ng.com/technical-doc ... ide/filter
What are you using to fire off the logs?
Re: Is there a way to filter logs at the source (content)
Hissax wrote:Are you asking how to limit the content of the logs that get sent to Log Server?
If so, it depends on what you're using to send them, if you're using rsyslog you could setup a filter:
https://www.rsyslog.com/doc/v8-stable/c ... lters.html
For syslog-ng, there is also a filter:
https://www.syslog-ng.com/technical-doc ... ide/filter
What are you using to fire off the logs?
In this case we are shipping DHCP logs (lots of unnecessary messages) from many servers to Nagios LOG via the LOG client and the configuration
attached.
The question is if we could filter and client end first? If not possible, could we filter grok at Nagios LOG end?
Say, I do not need any DHCP messages looking this way: " *Packet dropped because of Client ID hash mismatch or standby server*"
Thank you
You do not have the required permissions to view the files attached to this post.
Re: Is there a way to filter logs at the source (content)
Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event =~ /Packet dropped because of Client ID hash mismatch or standby server/) drop();
Exec $Message = $raw_event;
</Input>Re: Is there a way to filter logs at the source (content)
ssax wrote:Try this:
Code: Select all
<Input windowsfile> Module im_file File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log" SavePos TRUE # ReadFromLast FALSE Exec if ($raw_event =~ /Packet dropped because of Client ID hash mismatch or standby server/) drop(); Exec $Message = $raw_event; </Input>
This worked, and if I wanted only to allow some messages and block the rest?
Thank you
Re: Is there a way to filter logs at the source (content)
Which ones do you want to allow? Is there anything in them that we can exclude (like the event ids or anything)?
Re: Is there a way to filter logs at the source (content)
Just a question how the rule code should look like:ssax wrote:Which ones do you want to allow? Is there anything in them that we can exclude (like the event ids or anything)?
- say I want to drop ALL messages, but allow one containing "I like this message better" line.
Re: Is there a way to filter logs at the source (content)
Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event !~ /I like this message better/) drop();
Exec $Message = $raw_event;
</Input>Re: Is there a way to filter logs at the source (content)
ssax wrote:Try this:
Code: Select all
<Input windowsfile> Module im_file File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log" SavePos TRUE # ReadFromLast FALSE Exec if ($raw_event !~ /I like this message better/) drop(); Exec $Message = $raw_event; </Input>
I see.
Thank you, please close the case
Re: Is there a way to filter logs at the source (content)
Glad to hear it's working!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.