Re: [rsyslog] discard filter matching

Wed, 22 Jan 2014 13:34:13 -0800

#011 is an escaped tab. Your java logs are multiline logs with the lines after the first starting with a tab. 

David Lang

On Wed, 22 Jan 2014, Rick Brown wrote:
I didn't answer my own question, but I did find that the logs with #011 at the beginning were from multiline java logs. Changing the ReadMode directive for imfile got rid of that particular issue, so now it's off to figure out better strings to ignore! 

----- Original Message -----

From: "Rick Brown" <[email protected]>
To: "rsyslog" <[email protected]>
Sent: Wednesday, January 22, 2014 1:39:17 PM
Subject: [rsyslog] discard filter matching

running rsyslog-7.4.7-1.el5.centos

I'm trying to filter out messages like:
zimbra_mailbox: #011at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:429)

and every other message that contains #011at.   My original attempt
at this was simply:

:msg, contains, "zimbra_mailbox: #011at" ~

That failed to drop any messages whatsoever.   I removed the #011at
and used:

:msg, contains, "org.mortbay." ~

Which did as expected, but still logged way more messages than I care
to deal with.   I suspect the #011at is needs some escaping, but
http://www.rsyslog.com/rainerscript-constant-string-escaper/ tells
me otherwise.   I've played with a few combinations to try and get
it working, but haven't come up with a working solution.   Has
anyone run into a similar situation?  Any advise?


--
Rick Brown
Office of Information Technology
Georgia Institute of Technology
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.





_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to