Re: [rsyslog] Having issues with discard rule

Mon, 11 Mar 2019 14:00:04 -0700 

I'll defer to others more knowledgable than I, but the 'Oracle' portion at 
first glance appears to be the hostname.

In case it is helpful, here is an example entry that we're using:

if ($programname == 'vmsvc' ) then {
    if ($msg contains '[ warning] [guestinfo] Failed to get vmstats.') then {

        # Discard the message instead of logging locally or allowing it to
        # continue on to be forwarded remotely by subsequent rules.
        stop

    }
}

This is an example of an exact match and of using 'contains' to match part of 
the message.

This rule is used for the open-vm-tools package provided by Ubuntu 14.04. That 
package has a bug which results in a message being logged every 30 seconds, so 
we match and drop it.

-----Original Message-----
From: rsyslog <[email protected]> On Behalf Of Bryan Arenal via 
rsyslog
Sent: Monday, March 11, 2019 3:39 PM
To: [email protected]
Cc: Bryan Arenal <[email protected]>
Subject: [rsyslog] Having issues with discard rule

Hi,

I'm trying to set up a rule to discard some messages on a CentOS 7 box
(8.24.0) but can't seem to get the syntax right.  It seems that either
it's not working at all out or it discards EVERYTHING.  Here's a
sample of something I'm trying to discard:

Mar 11 16:58:04 Oracle Audit[14958]: LENGTH: "225" SESSIONID:[8]
"25480410" ENTRYID:[1] "1" USERID:[6] "DBSNMP" ACTION:[3] "101"
RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "16"
LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "1221313690"
SESSIONCPU:[1] "1"

I've used 'if $programname == 'Oracle Audit' then stop' but that
doesn't seem to do the trick.  I've also tried using 'msg' but that
also doesn't do anything.  What am I doing wrong?

Thanks!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to