You can also use RSYSLOG_DebugFormat template [1] to log into a file. You will be able to see what is the value of all properties.
[1] https://www.rsyslog.com/doc/v8-stable/configuration/templates.html On Mon, Mar 11, 2019 at 10:00 PM Adam Chalkley <[email protected]> wrote: > I'll defer to others more knowledgable than I, but the 'Oracle' portion at > first glance appears to be the hostname. > > In case it is helpful, here is an example entry that we're using: > > if ($programname == 'vmsvc' ) then { > if ($msg contains '[ warning] [guestinfo] Failed to get vmstats.') > then { > > # Discard the message instead of logging locally or allowing it to > # continue on to be forwarded remotely by subsequent rules. > stop > > } > } > > This is an example of an exact match and of using 'contains' to match part > of the message. > > This rule is used for the open-vm-tools package provided by Ubuntu 14.04. > That package has a bug which results in a message being logged every 30 > seconds, so we match and drop it. > > -----Original Message----- > From: rsyslog <[email protected]> On Behalf Of Bryan > Arenal via rsyslog > Sent: Monday, March 11, 2019 3:39 PM > To: [email protected] > Cc: Bryan Arenal <[email protected]> > Subject: [rsyslog] Having issues with discard rule > > Hi, > > I'm trying to set up a rule to discard some messages on a CentOS 7 box > (8.24.0) but can't seem to get the syntax right. It seems that either > it's not working at all out or it discards EVERYTHING. Here's a > sample of something I'm trying to discard: > > Mar 11 16:58:04 Oracle Audit[14958]: LENGTH: "225" SESSIONID:[8] > "25480410" ENTRYID:[1] "1" USERID:[6] "DBSNMP" ACTION:[3] "101" > RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "16" > LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "1221313690" > SESSIONCPU:[1] "1" > > I've used 'if $programname == 'Oracle Audit' then stop' but that > doesn't seem to do the trick. I've also tried using 'msg' but that > also doesn't do anything. What am I doing wrong? > > Thanks! > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
