What's new

Scribe, filtering mcast errors

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jobhax

Occasional Visitor
Hello, I'm still trying to wrap my head around scribe but is there a way to move these out to a different log source than messages? Not sure how to get the filtering right.

kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,783: blog allocation failure^[[0m
 
Hello, I'm still trying to wrap my head around scribe but is there a way to move these out to a different log source than messages? Not sure how to get the filtering right.

kernel: ^[[0;33;41m[ERROR mcast] bcm_mcast_blog_process,783: blog allocation failure^[[0m
Weirdly formatted log message. But anyway, the idea is to put a text file in /opt/etc/syslog.d that has three parts: defining the destination, the filter, and the log instruction. Since you can't filter by program here, you need some unique part of the message, perhaps like so:
Code:
destination d_blog { 
    file("/opt/var/log/blog.log");
};

filter f_blog {
    (message("bcm_mcast_blog_process") );
};

log {
    source(src);
    filter(f_blog);
    destination(d_blog);
    flags(final);
};
 
Weirdly formatted log message. But anyway, the idea is to put a text file in /opt/etc/syslog.d that has three parts: defining the destination, the filter, and the log instruction. Since you can't filter by program here, you need some unique part of the message, perhaps like so:
Code:
destination d_blog {
    file("/opt/var/log/blog.log");
};

filter f_blog {
    (message("bcm_mcast_blog_process") );
};

log {
    source(src);
    filter(f_blog);
    destination(d_blog);
    flags(final);
};
Or if you don't want to see it at all, add it to the "blankmsg" file in /opt/etc/syslog-ng.d . This will discard outright. In my example, I discard hostapd and wlc_send_bar messages.

Code:
# discard and don't log empty messages from kernel nor wlc_send_bar messages

filter f_blank {
    program("hostapd") or
    message("wlc_send_bar") or
    program("kernel") and
    message("^ *$");
};

log {
    source(src);
    filter(f_blank);
    flags(final);
};

#eof
 
Or if you don't want to see it at all, add it to the "blankmsg" file in /opt/etc/syslog-ng.d . This will discard outright. In my example, I discard hostapd and wlc_send_bar messages.

Code:
# discard and don't log empty messages from kernel nor wlc_send_bar messages

filter f_blank {
    program("hostapd") or
    message("wlc_send_bar") or
    program("kernel") and
    message("^ *$");
};

log {
    source(src);
    filter(f_blank);
    flags(final);
};

#eof
This works? The filter matches a log message that meets all the tests. So it will select a message only if it is blank, and then if it is either from hostapd or kernel. It never matches wlc_send_bar because a message can't both be blank and have that text at the same time. Perhaps you need to group these with parentheses?
Also, complex filters take longer to process than simple filters. Not really relevant in our case because there aren't that many messages.
 
This works? The filter matches a log message that meets all the tests. So it will select a message only if it is blank, and then if it is either from hostapd or kernel. It never matches wlc_send_bar because a message can't both be blank and have that text at the same time. Perhaps you need to group these with parentheses?
Also, complex filters take longer to process than simple filters. Not really relevant in our case because there aren't that many messages.
Either it works, or by some heck of a coincidence all the log entries disappeared. I'm okay with either outcome.

But if I'm reading the design of these configuration files, I've told it to take those three message types and send them nowhere. Only the last entry has an and component which would mean both conditions need to be met.

I could be wrong, but that's the way I interpret this and it seems to be working just fine.
 
It looks like you would have non-blank hostapd statements in messages. Without parens, there isn't something that breaks your filter into 3 message times; put another way, why does the ANDed statement apply only to kernel messages?

As we've noted, before syslog-ng can be kind of cryptic in its operation, and then there is boolean logic on top of it :)
 
I don't disagree; as I said it could be a coincidence. Perhaps someone with a better understanding of syslog-ng will point out that I was simply lucky and should go buy lottery tickets as my run of luck won't last.
 
But in any event, the OP could use your approach and simply omit the destination file and achieve a discard action. So even if I was lucky, there's an available outcome by combining both answers.
 
This worked wonders! Thank You. It has helped reduce alot of lag since it just spams. Usually only happens when Google Home/Smart TV is plugged in.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top