Remote syslog filtering
Hi,
Looking for some help in filtering syslogs that are getting sent to a remote collector.
Recently implemented a pair of LTMs (11.4.1 HF8) and the amount of logs being sent are beyond what we want.
Examples-
info perl[14186]: 01310053:6: ASMConfig change: notice g_server_rpc_handler_async.p debug crond[15680]: pam_unix(crond:session): session opened for user roo
So far I've been able to successfully filter out the SSL_acc\req logs by following SOL16932 and addding this include filter - include " filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\]')) and not (facility(local6) and level(info) and match('[ssl_req\]')); };
destination d_remote_loghost { udp(\"10.x.x.x\" port(514) localip(10.x.x.x)); };
log { source(s_syslog_pipe); filter(f_ssl_acc_req); destination(d_remote_loghost); }; "
Where I'm running into a problem is when trying to modify that include by adding level(notice..emerg); like so- include " filter f_ssl_acc_req { level(notice..emerg);
not (facility(local6) and level(info) and match('[ssl_acc\]')) and not (facility(local6) and level(info) and match('[ssl_req\]')); };
When I do that I receive this -
01070920:3: Application error for confpp: STDERR/STDOUT text begins syntax error in /etc/syslog-ng/syslog-ng.conf at line 1137. STDERR/STDOUT text ends
Jul 22 16:38:54 NAV-CT-BIGIP-01.caretracker.and.com confpp[16448]: syntax check command FAILURE for unix_config_syslog returned: '256' Restarting syslog-ng: Shutting down syslog-ng: [ OK ] Starting syslog-ng: [ OK ]
Any help is always greatly appreciated!
Thanks!