Scribe, filtering mcast errors

jobhax

Occasional Visitor
Hello, I'm still trying to wrap my head around scribe but is there a way to move these out to a different log source than messages? Not sure how to get the filtering right.

kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,783: blog allocation failure^[[0m
 

elorimer

Very Senior Member
Hello, I'm still trying to wrap my head around scribe but is there a way to move these out to a different log source than messages? Not sure how to get the filtering right.

kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,783: blog allocation failure^[[0m
Weirdly formatted log message. But anyway, the idea is to put a text file in /opt/etc/syslog.d that has three parts: defining the destination, the filter, and the log instruction. Since you can't filter by program here, you need some unique part of the message, perhaps like so:
Code:
destination d_blog { 
    file("/opt/var/log/blog.log");
};

filter f_blog {
    (message("bcm_mcast_blog_process") );
};

log {
    source(src);
    filter(f_blog);
    destination(d_blog);
    flags(final);
};
 

dev_null

Senior Member
Weirdly formatted log message. But anyway, the idea is to put a text file in /opt/etc/syslog.d that has three parts: defining the destination, the filter, and the log instruction. Since you can't filter by program here, you need some unique part of the message, perhaps like so:
Code:
destination d_blog {
    file("/opt/var/log/blog.log");
};

filter f_blog {
    (message("bcm_mcast_blog_process") );
};

log {
    source(src);
    filter(f_blog);
    destination(d_blog);
    flags(final);
};
Or if you don't want to see it at all, add it to the "blankmsg" file in /opt/etc/syslog-ng.d . This will discard outright. In my example, I discard hostapd and wlc_send_bar messages.

Code:
# discard and don't log empty messages from kernel nor wlc_send_bar messages

filter f_blank {
    program("hostapd") or
    message("wlc_send_bar") or
    program("kernel") and
    message("^ *$");
};

log {
    source(src);
    filter(f_blank);
    flags(final);
};

#eof
 

elorimer

Very Senior Member
Or if you don't want to see it at all, add it to the "blankmsg" file in /opt/etc/syslog-ng.d . This will discard outright. In my example, I discard hostapd and wlc_send_bar messages.

Code:
# discard and don't log empty messages from kernel nor wlc_send_bar messages

filter f_blank {
    program("hostapd") or
    message("wlc_send_bar") or
    program("kernel") and
    message("^ *$");
};

log {
    source(src);
    filter(f_blank);
    flags(final);
};

#eof
This works? The filter matches a log message that meets all the tests. So it will select a message only if it is blank, and then if it is either from hostapd or kernel. It never matches wlc_send_bar because a message can't both be blank and have that text at the same time. Perhaps you need to group these with parentheses?
Also, complex filters take longer to process than simple filters. Not really relevant in our case because there aren't that many messages.
 

dev_null

Senior Member
This works? The filter matches a log message that meets all the tests. So it will select a message only if it is blank, and then if it is either from hostapd or kernel. It never matches wlc_send_bar because a message can't both be blank and have that text at the same time. Perhaps you need to group these with parentheses?
Also, complex filters take longer to process than simple filters. Not really relevant in our case because there aren't that many messages.
Either it works, or by some heck of a coincidence all the log entries disappeared. I'm okay with either outcome.

But if I'm reading the design of these configuration files, I've told it to take those three message types and send them nowhere. Only the last entry has an and component which would mean both conditions need to be met.

I could be wrong, but that's the way I interpret this and it seems to be working just fine.
 

elorimer

Very Senior Member
It looks like you would have non-blank hostapd statements in messages. Without parens, there isn't something that breaks your filter into 3 message times; put another way, why does the ANDed statement apply only to kernel messages?

As we've noted, before syslog-ng can be kind of cryptic in its operation, and then there is boolean logic on top of it :)
 

dev_null

Senior Member
I don't disagree; as I said it could be a coincidence. Perhaps someone with a better understanding of syslog-ng will point out that I was simply lucky and should go buy lottery tickets as my run of luck won't last.
 

dev_null

Senior Member
But in any event, the OP could use your approach and simply omit the destination file and achieve a discard action. So even if I was lucky, there's an available outcome by combining both answers.
 

jobhax

Occasional Visitor
This worked wonders! Thank You. It has helped reduce alot of lag since it just spams. Usually only happens when Google Home/Smart TV is plugged in.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top