On Wed, 26 Mar 2014, li...@vfemail.net wrote:
Dear rsyslog experts,
I am new here and also with syslog. I am running rsyslog-5.6.5-2.x86_64 on a
rhel 5.10. I saw that is possible to not log some messages into
/var/log/messages or mysql (in my case).
I've already suppressed some messages coming from dovecot adding the
following line into rsyslog.conf
:msg, contains, "dovecot" ~
But now, I have a problem and don't know to suppress just a type of messages
coming from one server.
The message is:
562 NT AUTHORITY\SYSTEM Handle Closed:#177 Object Server:Security#177 Handle
ID:4912#177 Process ID:4#177 Image File Name:#177
I saw is possible to filter by hostname or by msg but not all at the same
time ...
Is possible to mix it somehow and using all at the same type?
Let say: how suppress from log messages coming from hostname=testserver and
containing string "562 NT AUTHORITY\SYSTEM"
you didn't say what version you are running
if $hostname == 'testserver' and $msg contains '562 NT AUTHORITY\SYSTEM' then ~
There are also things you can do to nest tests
in v7+ the action can be a compound statement
:hostname, equals, 'testserver' {
:msg, contains, '562 NT AUTHORITY\SYSTEM' ~
}
in earlier versions you can use rulesets to create a ruleset that contains one
test, and then call that ruleset as the result of another test.
But the compound if statement is probably the best approach for your simple
case.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.