Hi There!!
Thanks for you quick response! I appreciate it.
I wasn't aware that I could drop logstash altogether.. it's not a proxy as
far as I get it.. it can process things, foward events to Rieman, Graphite,
ES and so forth... it's a bit more that just a proxy don't you think?
Well.. my question, as you've mentioned was not said out loud but you did
get it. is it "How to filter those babies out?
You've provided me to some interesting ways of doind, and eventually I've
got to that conclusion just after sent the mail (i guess when I relaxed
thing came together in my head).
I thank you for you mail and if you can clarify for my a little further the
sintax here, I would love:
<Input eventlog>
Module im_msvistalog
Exec if ($EventID == 42) or ($EventID == 142) ... drop(); \
else if $Message =~ /DEBUG/ drop();
</Input>
I want to drop messages that DOES contain "DEBUG" in it. So it might be:
..
else if $Message == /DEBUG/ drop();
...
Right?
What if I want to drop messages that contain more than one world (a phrase)
like
"I want to drop that"
It would be
...
else if $Message == /I want to drop that/ drop();
...
Well.. I've managed to do that using PatternDB, it's working but I'm not
sure is the best way. This is how my patternDB looks like now:
<patterndb>
<group>
<name>eventlog</name>
<id>1</id>
<pattern>
<id>1</id>
<name>dfs events</name>
<matchfield>
<name>FileName</name>
<type>exact</type>
<value>DFS Replication</value>
</matchfield>
<matchfield>
<name>Program</name>
<type>exact</type>
<value>ESENT</value>
</matchfield>
<matchfield>
<name>SourceName</name>
<type>exact</type>
<value>DFSR</value>
</matchfield>
<exec>
drop();
</exec>
</pattern>
<pattern>
<id>2</id>
<name>DFS2</name>
<matchfield>
<name>Message</name>
<type>regexp</type>
<value>^DFSRs (\S+)</value>
<capturedfield>
<name>Message</name>
<type>STRING</type>
</capturedfield>
</matchfield>
<exec>
drop();
</exec>
</pattern>
<pattern>
<id>3</id>
<name>FilterDebugMonitor</name>
<matchfield>
<name>Message</name>
<type>regexp</type>
<value>^DEBUG: (\S+)</value>
<capturedfield>
<name>Message</name>
<type>STRING</type>
</capturedfield>
</matchfield>
<exec>
drop();
</exec>
</pattern>
<pattern>
<id>4</id>
<name>ClearReqAssincrona</name>
<matchfield>
<name>Message</name>
<type>regexp</type>
<value>^Controle ass(\S+)</value>
<capturedfield>
<name>Message</name>
<type>STRING</type>
</capturedfield>
</matchfield>
<exec>
drop();
</exec>
</pattern>
</group>
</patterndb>
[]'s
Geraldo Magella Junior
On Thu, Jul 18, 2013 at 5:43 AM, Botond Botyanszki <b...@nxlog.org> wrote:
> Hi,
>
> On Wed, 17 Jul 2013 16:49:50 -0300
> Geraldo Magella Junior <geraldomagellajun...@gmail.com> wrote:
>
> > I'm throwing the towel...I'm using NXLOG do forward events to Logstash
> > centralized interface that would then write to Elastic Search so I can
> > check'em out in Kibana.
> I've yet to understand why is everyone using logstash for that as it is
> only a proxy and can (?) be omitted altogether.
>
> > Everything is working fine but I'm trying to filter some log entries
> that I
> > don't want to see in ES/Kibana/etc.
> > What I want to do is:
> > * Exclude DFS Replication log messages.
> > * Exclude logs messages that had DEBUG in the message field.
> You have more options. In addition to using pm_pattern it might be worth
> doing the filtering directly with the Exec directive, i.e. :
> <Input eventlog>
> Module im_msvistalog
> Exec if ($EventID == 42) or ($EventID == 142) ... drop(); \
> else if $Message =~ /DEBUG/ drop();
> </Input>
>
> Another option is to use Query XML/xpath filtering , see the Query
> directive of the im_msvistalog module.
>
> > Can anyone help me?
> > Any help would be appreciated.
> You forgot to include in your mail what the exact problem is that you are
> having.
>
> > And Patterndb.xml looks like:
> >
> > <patterndb>
> > <group>
> > <name>eventlog</name>
> > <id>1</id>
> > <pattern>
> > <id>1</id>
> > <name>dfs events</name>
> > <matchfield>
> > <name>FileName</name>
> > <type>string</type>
> The type tag here defines the matching operation, so it is either REGEXP
> or EXACT. You need the latter in this case.
>
> > <value>DFS Replication</value>
> > </matchfield>
> > <matchfield>
> > <name>SourceName</name>
> > <type>string</type>
> Same as above.
>
> > <value>DFSR</value>
> > </matchfield>
> > <matchfield>
> > <name>EventID</name>
> > <type>rege</type>
> Typo
>
> > <value>(4202|4208|4302|4304|5004)</value>
> > </matchfield>
> > <exec>
> > drop();
> > </exec>
> > </pattern>
> > <pattern>
> > <id>2</id>
> > <name>Monitor</name>
> > <matchfield>
> > <name>Message</name>
> > <type>string</type>
> regexp?
>
> > <value>DEBUG</value>
> > </matchfield>
> > <exec>
> > drop();
> > </exec>
> > </pattern>
> > </group>
> > </patterndb>
>
> Regards,
> Botond
>
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> nxlog-ce-users mailing list
> nxlog-ce-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
