Thanks, worked like a charm with $rawmsg
On Wed, Feb 12, 2020 at 12:16 PM Rainer Gerhards <[email protected]>
wrote:
> you do not need to process the message - just use this:
>
> if $msg contains ['VSAN',
> 'VSANMGMTSVC']
> then {
> stop
> }
>
> If that doesn't work, $msg does not contain what you think. Try
> $rawmsg (everything as received from wire) in this case.
>
> Rainer
>
> El mié., 12 feb. 2020 a las 12:41, Adam Barnett via rsyslog
> (<[email protected]>) escribió:
> >
> > Hi All,
> >
> > i am trying to drop sys log messages that contain certain words
> >
> > The message coming looks like so
> >
> > Feb 12 00:59:18 bd-c67b-85b3-1fa2-d50e69 mtlvdi52 VSANMGMTSVC: 641e7'},
> > {'uuid': '521c8928-2bbe-4258-eb7e-bb0c864ff357', 'isAllFlash': 0,
> 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestamp': 87985781610}, 'capacityReserved':
> > 1400897536, 'capacityUsed': 400165961728, 'isSsd': 0, 'capacity':
> > 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'},
> {'uuid':
> > '528da7de-32d3-f6a9-316e-5727f63a2eb1', 'isAllFlash': 0, 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestamp': 85923806398}, 'capacityReserved':
> > 1417674752, 'capacityUsed': 383028035584, 'isSsd': 0, 'capacity':
> > 1000194703360, 'ssdUuid': '5251ae5d-48e5-b92b-741b-19743c38c492'},
> {'uuid':
> > '52e3c33e-8a38-6ece-64db-3fd27f1eabab', 'isAllFlash': 0, 'owner':
> > '5dcd75a4-f34c-4392-1b2f-e4434b870550', 'disk_health': {'healthReason':
> 0,
> > 'healthFlags': 0, 'timestam
> >
> > And my rule looks like
> >
> > template (name="drop" type="string" string="/dev/null")
> > if $msg contains ['VSAN',
> > 'VSANMGMTSVC']
> > then {
> > action(type="omfile" DynaFile="drop")
> > stop
> > }
> >
> > But they are not being dropped, am i doing something wrong?
> >
> > Thanks
> >
> >
> >
> > --
> > Adam Barnett
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
--
Adam Barnett
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
