is it possible to negate a match using pm_match? (nxlog ce version for now)
#1
wallet
I am trying to us pm_pattern to filter messages that are approved for a 'limited' feed, and still have the full feed go to the admin feed.
I have set up the config to send the input to two feeds, that works fine. I've then tried to use pm_pattern to match certain strings and DROP them from the restricted feed. So far no luck. I'm sure I'm missing something really simple here, and would really appreciate if anyone had the time to check the configs for me...
in nxlog.conf (edited for brevity)...
and this is the patternmatch yaml (some matchfields removed)...
<group>
<name>Client</name>
<pattern>
<id>1</id>
<name>client input</name>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>rsyslogd</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>NetworkManager</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>Systemd</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>dnf</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>dbus</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>chrony</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>CRON</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>motd</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>snapd</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>promtail</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>nxlog</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>kernel</value>
</matchfield>
<matchfield>
<Name>raw_event</Name>
<type>regexp</type>
<value>loki</value>
</matchfield>
</pattern>
</group>
