Ignore priority 7 syslog
Hi
Some unfortunate soul enabled BGP debugging on a device and then forgot all about it.
I'm now trying to delete 76 million records from the syslog database..
Is there a way to ignore syslog messages with priority 7 in the syslog import in Observium? It'll probably happen again someday.
Lars ________________________________ Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice
Not directly in Observium, but you can easily pre-filter them in the syslog-ng (or rsyslog) config, by simply not passing in, or blackholing, anything coming in at that level.
For syslog-ng, the relevant section of documentation is at syslog-ng Open Source Edition 3.16 - Administration Guidehttps://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/51#TOPIC-956580. It should be fairly straightforward to follow. The equivalent rsyslog documentation is at RSyslog Documentation - rsysloghttps://www.rsyslog.com/doc/master/configuration/filters.html and… well, good luck understanding that, I certainly don’t.
-Adam
Adam Thompson Consultant, Infrastructure Services [MERLIN] 100 - 135 Innovation Drive Winnipeg, MB R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) https://www.merlin.mb.cahttps://www.merlin.mb.ca/ [cid:image002.png@01D92A53.29291270]Chat with me on Teamshttps://teams.microsoft.com/l/chat/0/0?users=athompson@merlin.mb.ca
From: Lars Joergensen via observium observium@lists.observium.org Sent: January 13, 2023 12:49 PM To: Observium observium@observium.org Cc: Lars Joergensen DKLARJ@chr-hansen.com Subject: [Observium] Ignore priority 7 syslog
Hi
Some unfortunate soul enabled BGP debugging on a device and then forgot all about it.
I’m now trying to delete 76 million records from the syslog database..
Is there a way to ignore syslog messages with priority 7 in the syslog import in Observium? It’ll probably happen again someday.
Lars ________________________________ Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice
Hi
It happened again and I actually had some free time in the calendar, so I gave it a go.
In the /etc/rsyslog.d/30-observium there is this:
# observium RuleSets ruleset(name="observium") { action(type="omprog" binary="/opt/observium/syslog.php" template="observium") stop }
I have changed it to this:
ruleset(name="observium") { if $syslogseverity <= '5' then action(type="omprog" binary="/opt/observium/syslog.php" template="observium") stop }
As one can probably glean from the stuff above, this filters out severity 6 (informational) and 7 (debug). Saving us from millions of rows added to the syslog table daily.
Lars
From: Lars Joergensen via observium observium@lists.observium.org Sent: 13. januar 2023 19:49 To: Observium observium@observium.org Cc: Lars Joergensen DKLARJ@chr-hansen.com Subject: [Observium] Ignore priority 7 syslog
Hi
Some unfortunate soul enabled BGP debugging on a device and then forgot all about it.
I'm now trying to delete 76 million records from the syslog database..
Is there a way to ignore syslog messages with priority 7 in the syslog import in Observium? It'll probably happen again someday.
Lars ________________________________ Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice ________________________________ Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice
I've updated the documentation to use this rule as default as 6/7 seems mostly useless noise.
adam.
Lars Joergensen via observium wrote on 16/02/2023 12:39:
Hi
It happened again and I actually had some free time in the calendar, so I gave it a go.
In the /etc/rsyslog.d/30-observium there is this:
# observium RuleSets
ruleset(name="observium") {
action(type="omprog"
binary="/opt/observium/syslog.php"
template="observium")
stop
}
I have changed it to this:
ruleset(name="observium") {
if $syslogseverity <= '5' then action(type="omprog" binary="/opt/observium/syslog.php" template="observium")
stop
}
As one can probably glean from the stuff above, this filters out severity 6 (informational) and 7 (debug). Saving us from millions of rows added to the syslog table daily.
Lars
*From:* Lars Joergensen via observium observium@lists.observium.org *Sent:* 13. januar 2023 19:49 *To:* Observium observium@observium.org *Cc:* Lars Joergensen DKLARJ@chr-hansen.com *Subject:* [Observium] Ignore priority 7 syslog
Hi
Some unfortunate soul enabled BGP debugging on a device and then forgot all about it.
I’m now trying to delete 76 million records from the syslog database..
Is there a way to ignore syslog messages with priority 7 in the syslog import in Observium? It’ll probably happen again someday.
Lars
Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice
Disclaimer: This e-mail, including any attachments, is for the intended recipient only. If you have received this e-mail by mistake please notify the sender immediately by return e-mail and delete this e-mail and any attachments, without opening the attachments, from your system. Access, disclosure, copying, distribution or reliance on any part of this e-mail by anyone else is prohibited. This e-mail is confidential and may be legally privileged. Chr. Hansen does not represent and/or warrant that the information sent and/or received by or with this e-mail is correct and does not accept any liability for damages related thereto. https://www.chr-hansen.com/en/legal-notice
observium mailing list -- observium@lists.observium.org To unsubscribe send an email to observium-leave@lists.observium.org
participants (3)
-
Adam Armstrong -
Adam Thompson -
Lars Joergensen