Page 1 of 1
Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 7:43 am
by dlukinski
Hello Nagios Support
Is there a way to filter logs at the source, based on the message body?
- so that only the certain content of the log gets shipped?
Thank you,
Dimitri
Re: Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 11:16 am
by ssax
Are you asking how to limit the content of the logs that get sent to Log Server?
If so, it depends on what you're using to send them, if you're using rsyslog you could setup a filter:
https://www.rsyslog.com/doc/v8-stable/c ... lters.html
For syslog-ng, there is also a filter:
https://www.syslog-ng.com/technical-doc ... ide/filter
What are you using to fire off the logs?
Re: Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 1:31 pm
by dlukinski
Hi
In this case we are shipping DHCP logs (lots of unnecessary messages) from many servers to Nagios LOG via the LOG client and the configuration
attached.
The question is if we could filter and client end first? If not possible, could we filter grok at Nagios LOG end?
Say, I do not need any DHCP messages looking this way: " *Packet dropped because of Client ID hash mismatch or standby server*"
Thank you
Re: Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 1:51 pm
by ssax
Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event =~ /Packet dropped because of Client ID hash mismatch or standby server/) drop();
Exec $Message = $raw_event;
</Input>
Re: Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 4:55 pm
by dlukinski
ssax wrote:Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event =~ /Packet dropped because of Client ID hash mismatch or standby server/) drop();
Exec $Message = $raw_event;
</Input>
This worked, and if I wanted only to allow some messages and block the rest?
Thank you
Re: Is there a way to filter logs at the source (content)
Posted: Tue Mar 19, 2019 5:01 pm
by ssax
Which ones do you want to allow? Is there anything in them that we can exclude (like the event ids or anything)?
Re: Is there a way to filter logs at the source (content)
Posted: Wed Mar 20, 2019 12:56 pm
by dlukinski
ssax wrote:Which ones do you want to allow? Is there anything in them that we can exclude (like the event ids or anything)?
Just a question how the rule code should look like:
- say I want to drop ALL messages, but allow one containing "I like this message better" line.
Re: Is there a way to filter logs at the source (content)
Posted: Wed Mar 20, 2019 4:24 pm
by ssax
Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event !~ /I like this message better/) drop();
Exec $Message = $raw_event;
</Input>
Re: Is there a way to filter logs at the source (content)
Posted: Fri Mar 22, 2019 8:35 am
by dlukinski
ssax wrote:Try this:
Code: Select all
<Input windowsfile>
Module im_file
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
SavePos TRUE
# ReadFromLast FALSE
Exec if ($raw_event !~ /I like this message better/) drop();
Exec $Message = $raw_event;
</Input>
I see.
Thank you, please close the case
Re: Is there a way to filter logs at the source (content)
Posted: Fri Mar 22, 2019 9:39 am
by cdienger
Glad to hear it's working!