[rsyslog-notify] Forum Thread: Re: filter invalid syslogtag - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Fri Jul 8 10:18:59 CEST 2016
User: rgerhards
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26747#p26747
Message:
----------
Well, this is a good sample:
```
rawmsg: '<182>2016-07-08T06:16:18.571Z esxi051.smhi.se vmkernel:
cpu5:36453)NMP: nmp_ThrottleLogForDevice:3298: Cmd 0x12 (0x439d8b275200, 0)
to dev "naa.600508e0000000007c54091dbc29fc0b" on path "vmhba0:C1:T0:L0"
Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x0 0x0. Act:NONE'
```
Even I as a human have problems to see that this message is actually
invalid. Looking closely, I see a string that looks like a hostname
followed by a string that ends in a colon... but how do I know for sure
that this is not intentional. I know many cases where this could be
perfectly valid. The message is perfectly valid as far as the relevant RFCs
go.
So how should rsyslog make the decision that this is not valid for your use
case? Think about it...
One method of course would be to write a custom parser (or other) module
that does exactly the logic that you need, e.g. you need to say which
messages you consider valid, so that the parser can disallow all others.
Rainer
More information about the rsyslog-notify
mailing list