[rsyslog-notify] Forum Thread: Re: filter invalid syslogtag - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Fri Jul 8 09:07:34 CEST 2016 

User: awinberg 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26743#p26743

Message: 
----------
Worth noting is that lxserv350 (the client) is a RHEL7 box with
rsyslog-7.4.7-12.el7.x86_64.

But I feel we might be steering a bit off-course here. 

[quote:214d5s6e]You now need to identify which process creates these
message and contact them why it contains such a strange
format[/quote:214d5s6e]
Sure, the message is corrupt, but shouldn't I be able to use rsyslog to
filter out such corrupt messages? Thats kinda what I was hoping to do, so I
don't have to keep constant track of our logs and hunt down developers that
are doing something wrong all the time. 

And the corrupt message from lxserv350 was just one example, as i mentioned
I also have logs from vmware that I cant filter out:
[code:214d5s6e]Debug line with all properties:
FROMHOST: 'esxi051', fromhost-ip: '172.16.7.71',
HOSTNAME: 'esxi051.smhi.se', PRI: 182,
syslogtag 'vmkernel:', programname: 'vmkernel', APP-NAME:
'vmkernel', PROCID: '', MSGID: '-',
TIMESTAMP: 'Jul  8 06:16:18', STRUCTURED-DATA: '-',
msg: ' cpu5:36453)NMP: nmp_ThrottleLogForDevice:3298:
Cmd 0x12 (0x439d8b275200, 0) to dev
"naa.600508e0000000007c54091dbc29fc0b" on path
"vmhba0:C1:T0:L0" Failed: H:0x0 D:0x2 P:0x0
Valid sense data: 0x5 0x0 0x0. Act:NONE'
escaped msg: ' cpu5:36453)NMP:
nmp_ThrottleLogForDevice:3298: Cmd 0x12 (0x439d8b275200, 0) to dev
"naa.600508e0000000007c54091dbc29fc0b" on path
"vmhba0:C1:T0:L0" Failed: H:0x0 D:0x2 P:0x0
Valid sense data: 0x5 0x0 0x0. Act:NONE'
inputname: imudp rawmsg: '<182>2016-07-08T06:16:18.571Z
esxi051.smhi.se vmkernel: cpu5:36453)NMP:
nmp_ThrottleLogForDevice:3298: Cmd 0x12 (0x439d8b275200, 0) to dev
"naa.600508e0000000007c54091dbc29fc0b" on path
"vmhba0:C1:T0:L0" Failed: H:0x0 D:0x2 P:0x0
Valid sense data: 0x5 0x0 0x0. Act:NONE'[/code:214d5s6e]

Using this filter on the logserver:
[code:214d5s6e]if $syslogfacility-text == 'local3' and ($procid == '-' or
$procid == '') then ~[/code:214d5s6e]

filters out and discards _all_ my logs, regardless of content in $procid.
If I use the same filter on my rsyslog clients it works (even with
lxserv350 and the corrupt messages). But esx doesn't use rsyslog and I dont
have control over those servers, which is why it would be nice to filter it
out on the logserver, which I do control.

But I agree that the rsyslog version on the logserver is ancient, albeit a
redhat backported version, so I don't think we should dig too deep into
this. We will upgrade our logservers to RHEL7 after the summer and then I
will try again. I'll bump this thread when I do. 

Thanks for now!

More information about the rsyslog-notify mailing list