Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

drop logs with empty message

https://support.nagios.com/forum/viewtopic.php?t=42138

Page 1 of 1

drop logs with empty message

Posted: Thu Jan 26, 2017 9:17 am
by WillemDH
Hello,

We have a logsource which sometimes sends empty logs. We would like to drop these if the message field is empty. How would we do this?

Code: Select all

if [type] == "syslog-crushftp" {
    grok {
      match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}:%{GREEDYDATA:syslog_message}" }
    }
    mutate {
        lowercase => [ "program" ]
        add_field => { 
          "logsource" => "%{syslog_hostname}"
        }
    }
    grok {
      match => { "syslog_message" => "\A%{DATESTAMP}\|\[%{HOSTNAME}:%{HTTPDUSER:ftp_session}:%{HTTPDUSER:ftp_user}:%{IP:source_ip}%{GREEDYDATA:rest_message}" }
      add_tag => "grokked_syslog_crushftp"
    }
   grok {
      match => { "syslog_message" => "" }
      add_tag => "grokked_syslog_crushftp_empty"
    }
}
As you can see, I tried with

Code: Select all

match => { "syslog_message" => "" }
but I noticed some logs which do contain a message also get the grokked_syslog_crushftp_empty tag...

Grtz

Willem

Re: drop logs with empty message

Posted: Thu Jan 26, 2017 12:11 pm
by mcapra
This worked for me:

Code: Select all

if [message] =~ /^\s*$/ {
  drop{}
}
else {
 #process the logs
}
Obviously your idea of tagging instead of dropping while doing testing is a good idea. drop{} can be a bit intimidating.

Re: drop logs with empty message

Posted: Sat Jan 28, 2017 12:26 pm
by WillemDH
Thank you very much. It works perfect. Please close this thread.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited