Scribe Trouble filtering a message with parentheses

[Weblee2407]

I am trying to get the message "WAN(0)_Connection: WAN was restored." filtered using the code below. I am pretty sure the parens "()" are the issue, but I haven't been able to escape them using "\" backslash. I'm sure this is simple to the experienced developers that are members of this forum.

Thanks in advance.

#log custom monitoring entries to /opt/var/log/monitored.log only

destination d_monitored {
file("/opt/var/log/monitored.log");
};

filter f_monitored {
program("disk_monitor") or
message("WAN(0)_Connection: WAN was restored.") or
message("ubi0 error:") or
message("ubi0: dumping") or
message("drop_caches:")
};

log {
source(src);
filter(f_monitored);
destination(d_monitored);
flags(final);
};

#eof

 

[elorimer]

Do you need to match the whole thing? or is "WAN was restored" enough?

Its regex. Did you try

message("WAN\(0\)_Connection")

 

[Weblee2407]

I used a statement escaping the parens as you entered, using only "WAN\(0\)" but it didn't work. Then I set the whole message. Maybe WAN(0)_Connection: is considered a program? Let me try that too.

I need the entire line as I'm only flagging wan0 failback.

 

[Weblee2407]

Well here is what I ended up with after much trial, error and rejection by scribe. If someone has other expressions or escape sequences, please let me know.

EDIT: had to set it as program - that gave me more entries than I wanted, but I filtered those other, specific messages out.

 

[elorimer]

I went looking to see where there is an explanation of the syslog-ng parser and didn't find it.

If you wanted, you could create a separate file destination, and then write out all the log statements (make this your first named config file and don't use the flags(final) flag, but construct a template that contains the different pieces of the message: $PID, $Program, $Host, $MSGHDR, $MSG, and so on. That might tell you how the : and ( and ) is being interpreted. Then you can do your filter accordingly.

 

[cmkelley]

Well here is what I ended up with after much trial, error and rejection by scribe. If someone has other expressions or escape sequences, please let me know.

EDIT: had to set it as program - that gave me more entries than I wanted, but I filtered those other, specific messages out.

View attachment 51826

I went looking to see where there is an explanation of the syslog-ng parser and didn't find it.

If you wanted, you could create a separate file destination, and then write out all the log statements (make this your first named config file and don't use the flags(final) flag, but construct a template that contains the different pieces of the message: $PID, $Program, $Host, $MSGHDR, $MSG, and so on. That might tell you how the : and ( and ) is being interpreted. Then you can do your filter accordingly.

The filter file "expandlog" that scribe puts in /opt/share/syslog-ng/examples will create a log (/opt/var/log/expanded-syslog.log) with every log message expanded into its component parts. Simply copy it to /opt/etc/syslog-ng.d and then "scribe restart". The file will get very large very quickly so don't leave it running and walk away. There is no logrotate file for this filter because it is not something that should be used continuously unless your log files are going to a very large, very empty drive. When you're done, delete expandlog from /opt/etc/syslog-ng.d and "scribe restart" again.