2
responses

How can I select some messages from a single source for 1 output and some for another based on the syslog content, I'm using community edition I have RTFMed but haven't found anything describing how to do this. I've tried using the Route block to send to multiple outputs and then using the drop() option in the output inside some <Exec> tags but it doesn't seem to work and I end up with the same stuff in both outputs.

AskedJuly 6, 2016 - 10:36pm

Answer (1)

I was able to resolve this but it still doesn't make sense.

I changed 

<Output out2>
    Module  om_file 
    File    'C:\syslog\server1.log'

     <Exec>
        if $Message !~ /192.168.1.62/ {
            drop();
        }
     </Exec>
</Output>

to 

<Output out2>
    Module  om_file 
    File    'C:\syslog\server1.log'

     <Exec>
        if not ($raw_event =~ /192.168.1.62/) drop();
     </Exec>
</Output>

 

In the above output I was getting ALL messages (wat?) and the bottom was working as expected.

Comments (1)

  • adm's picture
    (NXLog)

    You should make sure $Message has a value. I assume you are reading data into $raw_event that is not parsed and $Message is not populated. As such $Message is undef.

    The !~ operator evaluates to undef if the subject is undef thus if undef will never hold true, this is why drop() doesn't get called.

    Hope that explains.