I didn't answer my own question, but I did find that the logs with #011 at the beginning were from multiline java logs. Changing the ReadMode directive for imfile got rid of that particular issue, so now it's off to figure out better strings to ignore!
----- Original Message ----- > From: "Rick Brown" <[email protected]> > To: "rsyslog" <[email protected]> > Sent: Wednesday, January 22, 2014 1:39:17 PM > Subject: [rsyslog] discard filter matching > > running rsyslog-7.4.7-1.el5.centos > > I'm trying to filter out messages like: > zimbra_mailbox: #011at > org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:429) > > and every other message that contains #011at. My original attempt > at this was simply: > > :msg, contains, "zimbra_mailbox: #011at" ~ > > That failed to drop any messages whatsoever. I removed the #011at > and used: > > :msg, contains, "org.mortbay." ~ > > Which did as expected, but still logged way more messages than I care > to deal with. I suspect the #011at is needs some escaping, but > http://www.rsyslog.com/rainerscript-constant-string-escaper/ tells > me otherwise. I've played with a few combinations to try and get > it working, but haven't come up with a working solution. Has > anyone run into a similar situation? Any advise? > > > -- > Rick Brown > Office of Information Technology > Georgia Institute of Technology > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT. > -- Rick Brown Office of Information Technology Georgia Institute of Technology 258 4th Street N.W. Atlanta, GA 30332-0715 email: [email protected] ph: (404) 894-6175 Calendar: https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
