Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog filter for VMware data

MikeVenable
Path Finder
‎03-25-2020 09:23 PM

I am trying to make a filter that will filter out all VPXD, VPXA, and HOSTD data coming in from VM hosts. Below is excel sheet I use to define log use cases, green means I want to continue ingesting, yellow means I want to filter outalt text

Below is what the VPXA message looks when hitting port 514 on the the syslog server:
Msg: 2020-03-26T04:09:53.295Z MyDomainName.com Vpxa: verbose vpxa[9164B70] [Originator@6876 sub=VpxaHalCnxHostagent opID=WFU-357897ba] Received WaitForUpdatesDone callback\0x0a

Below is what the HOSTD message looks when hitting port 514 on the the syslog server:
Msg: 2020-03-26T04:13:31.559Z MyDomainName.com Hostd: verbose hostd[FFC1B70] [Originator@6876 sub=PropertyProvider] RecordOp ASSIGN: guest.disk, 40. Sent notification immediately.\0x0a

Below is my current filter in place, I filter on hostname, I still want to do this. I just want it to drop any message with the HOSTD or VPXA process and keep everything else.
alt text

Thanks for the help!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mansourireza
Explorer
‎03-30-2020 02:17 PM

Try this:

syslog-ng version 2.1 and earlier :

filter f_faresx { match("far-esx" value("HOST")) and not match("vpxa") and not match("hostd");

syslog-ng versions newer than 2.1r:

 filter f_faresx { match("far-esx" value("HOST")) and not message("vpxa") and not message("hostd");

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mansourireza
Explorer
‎03-30-2020 02:17 PM

Try this:

syslog-ng version 2.1 and earlier :

filter f_faresx { match("far-esx" value("HOST")) and not match("vpxa") and not match("hostd");

syslog-ng versions newer than 2.1r:

 filter f_faresx { match("far-esx" value("HOST")) and not message("vpxa") and not message("hostd");

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...