Hi, You need to add parse_syslog_bsd() to tcp-in on the server, otherwise there are no fields passed to pm_pattern besides $raw_event.
Regards, Botond On Sat, 7 Dec 2013 12:42:02 -0700 "Paul Fontenot" <ssdv6...@gmail.com> wrote: > Hi, > > I have put together a pm_pattern file that does exactly what I wanted it to > do on local workstation and thought I'd put it on the central log server and > I've found that what worked on the workstation doesn't work on the server. I > can put the entire pattern file in here if needed - none of the patterns are > matching when I'm trying to filter at the server instead of the workstation. > > *** workstation *** > <Input kernel> > Module im_kernel > Exec parse_syslog_bsd(); > </Input> > <Output k_out> > Module om_tcp > Host 192.168.0.200 > Port 1514 > Exec to_syslog_bsd(); > </Output> > <Route 1> > Path kernel => k_out > </Route> > <Input uds> > Module im_uds > Exec parse_syslog_bsd(); > </Input> > <Output u_out> > Module om_tcp > Host 192.168.0.200 > Port 1514 > Exec to_syslog_bsd(); > </Output> > <Route 1> > Path uds => u_out > </Route> > > *** server *** > define LOGDIR /var/nxlog > > # Previously defined in 01-local.conf > # > #<Extension syslog> > # Module xm_syslog > #</Extension> > > <Input tcp-in> > Module im_tcp > Host 192.168.0.200 > Port 1514 > </Input> > > <Processor pattern-nonwbt> > Module pm_pattern > PatternFile /etc/nxlog.d/patterndb-nonwbt.xml > </Processor> > <Output tcp-out> > Module om_file > File '%LOGDIR%/all.log' > </Output> > > <Route tcp-route> > Path tcp-in => pattern-nonwbt => tcp-out > </Route> > > *** pm_pattern *** > --<snip>-- > <name>kernel</name> > <id>6</id> > <matchfield> > <name>SourceName</name> > <type>exact</type> > <value>kernel</value> > </matchfield> > > <pattern> > <id>1</id> > <name>MCP</name> > > <matchfield> > <name>Message</name> > <type>REGEXP</type> > <value>^intel ips [a-zA-Z0-9.]*: MCP limit exceeded: Avg temp [0-9]*, > limit 9000</value> > </matchfield> > > <exec> > drop(); > </exec> > </pattern> > > <pattern> > <id>2</id> > <name>MCP</name> > > <matchfield> > <name>Message</name> > <type>REGEXP</type> > <value>^intel ips [a-zA-Z0-9.]*: MCP limit exceeded: Avg power [0-9]*, > limit 35000</value> > </matchfield> > > <exec> > drop(); > </exec> > </pattern> > > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > nxlog-ce-users mailing list > nxlog-ce-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
