Exclude some text from log output with syslog-ng - syslog-ng

i have log message
"2020-11-06T14:28:19.171900+0000 Host-9999 1889 1889 DBG some part of the log"
Is it possible to filter messages like this with syslog-ng functionality to have such output
"DBG some part of the log"
Basically i need to exclude date, host, pid, pid in every log message.

i raised it with rewrite function, and with regex
rewrite test{
subst("^.{0,54}", " ", value("MSG"));
};

Related

Bro / Zeek debugging logs?

Is there anyway to see more debugging info with Bro / Zeek ?
Here's what I know of so far.
Logs on Manager, & workers (Stderr.log, Stdout.log)
broctl status
broctl diag
broctl print, & peerstatus both hang, so are of no use for debugging
broctl top
I have a number of errors with my Bro installation, yet the logs show nothing is wrong. I assume there are some hidden debug flags or something, or some logs that can shed some light, but I can't find them.
broctl peerstatus hangs, as well as print
stderr, and stdout show no issues
Only logs are stats, reporter, cluster, broker, stderr, and stdout
No conn logs, or any of the others
I found this link about peerstatus hanging, which implies there is a way to turn on debugging in broccoli, just not sure that's the right path.
http://mailman.icsi.berkeley.edu/pipermail/zeek/2016-December/011149.html
Yes, if you build your Zeek with --enable-debug, then there's an additional command-line option that lets you enable/disable several debug streams:
$ zeek --help
...
-B|--debug <dbgstreams> | Enable debugging output for selected streams ('-B help' for help)
$ zeek -B help
Enable debug output into debug.log with -B <streams>.
<streams> is a comma-separated list of streams to enable.
Available streams:
serial
rules
state
chunkedio
string
notifiers
main-loop
dpd
tm
logging
input
threading
file_analysis
plugins
zeekygen
pktio
broker
scripts
plugin-<plugin-name> (replace '::' in name with '-'; e.g., '-B plugin-Bro-Netmap')
Pseudo streams
verbose Increase verbosity.
all Enable all streams at maximum verbosity.
For each of the streams you enable, you'll then find corresponding entries in debug.log:
$ zeek -B all -r test.pcap
$ head debug.log
0.000000/1559682553.492973 [zeekygen] Made ScriptInfo base/init-bare.zeek
0.000000/1559682553.492997 [scripts] Loading /home/christian/inst/opt/zeek/share/bro//base/init-bare.zeek
0.000000/1559682553.493094 [serial] Write bool true [true]
0.000000/1559682553.493099 [serial] bool SerialObj::Serialize(SerialInfo*) const [0x3668000, new pid 0, tid 528948]
0.000000/1559682553.493103 [serial] -- Caching
0.000000/1559682553.493105 [serial] Write bool true [full]
0.000000/1559682553.493122 [serial] Write uint64 0 [pid]
0.000000/1559682553.493126 [serial] virtual bool EnumType::DoSerialize(SerialInfo*) const
0.000000/1559682553.493128 [serial] virtual bool BroType::DoSerialize(SerialInfo*) const
0.000000/1559682553.493131 [serial] virtual bool BroObj::DoSerialize(SerialInfo*) const

My Apache 2 error log contains all error message lines splitted to individual characters

I mean, all error messages is splitted into one character length, and these are the lines in my error_log. For example if the error message of my CGI application is "Error", I can see 5 lines of text, one line for every character of the error message, appended with referer and some other time informations. My error messages come from forked cURL process, and countains \r (carriage return) characters, because of the downloading progress indicator. What can I do to get the error output / stderr of my cURL processes really line-by-line?
Fortunately I managed to find the solution with Popen3 from the stdlib:
require "open3"
cmd=%Q{curl -b cookie.txt 'http://www.example.com/file/afancyfileid/yetanotherfilename.avi' -L -O -J}
Open3.popen3(cmd) {|stdin, stdout, stderr, wait_thr|
pid = wait_thr.pid # pid of the started process.
line_no=0
stderr.each_char do |c|
if c=="\r" then
line_no+=1
STDERR.puts if line_no % 5 == 0
else
STDERR.print c if line_no % 5 == 0
end
end
exit_status = wait_thr.value
}
I print only every 5th lines not to let grow my error_log so fast.

Procmail sends an extra email

I use procmail to forward certain 'From' to a Gmail account
/home/user/.procmailrc
:0c
* !^FROM_MAILER
* ^From: .*aaa | bbb | ccc.*
! ^X-Loop: user#gmail\.com
| formail -k -X "From:" -X "Subject:" \
-I "To: user#gmail.com" \
-I "X-Loop: user#gmail.com"
:0
* ^From: .*aaa | bbb | ccc.*
$DEFAULT
This works fine but on my server inbox I also get an 'undelivered' mail
The mail system <"^X-Loop:"#my-name-server.com> (expanded from
<"^X-Loop:">): unknown user:
"^x-loop:"
How can I avoid this?
I've tried to delete these mails.
This is not the best way.
Anyway It does not work.
:0B * <"\^X-Loop:"#my-name-server.com>
/dev/null
The recipe contains multiple syntax errors, but the bounce message comes because you lack an asterisk on one of the condition lines, which makes it an action line instead.
The general syntax of a Procmail recipe is
:0flags # "prelude", with optional flags
* condition # optional, can have zero conditions
* condition # ...
action
The action can be a mailbox name, or ! followed by a destination mailbox to forward the message to, or | followed by a shell pipeline.
So your first recipe is "If not from mailer and matching From: ..., forward to ^X-Loop:.
The | formail ... line after that is then simply a syntax error and ignored, because it needs to come after a prelude line :0 and (optionally) some condition lines.
Additionally, the ^From: regex is clearly wrong. It will match From: .*aaa or bbb (with spaces on both sides, in any header, not just the From: header) or ccc.
Finally, the intent is apparently to actually forward the resulting message somewhere.
:0c
* ! ^FROM_MAILER
* ^From:(.*\<)?(aaa|bbb|ccc)
* ! ^X-Loop: user#gmail\.com
| formail -I "X-Loop: user#gmail.com" | $SENDMAIL $SENDMAILFLAGS user#gmail.com
If you simply want to forward the incoming message, the other -X and -I and certainly -k options are superfluous or wrong. If they do accomplish something which is irrelevant for this question, maybe you need to add some or all of them back (and also remember to extract with -X any new headers you add with -I, as otherwise they will be suppressed; this sucks).
Your second recipe is also superfluous, unless you have more Procmail recipes later in the file which should specifically be bypassed for these messages. (If so, you will need to fix the From: regex there as well.)

connecting to switch via ssh using expect

I'm trying to run an script to connect to a Procurve 4204vl switch using expect.
This is the code I created:
#!/usr/bin/expect -f
set timeout 20
spawn ssh -l user 192.168.0.10
expect "user#192.168.0.10's password:"
send "1234"
send "\r"
expect "Press any key to continue"
send "j\r"
send "conf"
send "\r"
send "no ip route 89.19.238.2 255.255.255.255 192.168.0.12"
send "\r"
send "exit"
send "\r"
send "exit"
send "\r"
send "exit"
send "\r"
expect "Do you want to log out [y/n]?"
send "y"
I run this using simply expect script.exp, and the problem is I got these errors:
the route is not deleted
I got the following error on screen after the script execution is finished:
Press any key to continue invalid command name "y/n"
while executing
"y/n"
invoked from within
"expect "Do you want to log out [y/n]?""
(file "script.exp" line 19)
So, how could I solve this problem?
Thank you.
PS: if I comment all the "exit" lines and also the log out question, then add a last line with the "interact" command, the script works fine.
For route not deleted, what output is the program giving you? Do you see any errors from the router?
In expect and Tcl the square brackets are the syntax to execute a command, quite like backticks in the shell. The simplest solution is to use braces instead of double quotes to prevent command interpolation:
expect {Do you want to log out [y/n]?}
Braces act like single quotes in the shell.
send "logout\r"
expect {
"Do you want to log out" {
send "yy"
exp_continue
} "Do you want to save current configuration" {
set result $expect_out(0,string);
puts "save..."
send "y"
puts "ok"
} eof {
puts "end of script"
}
}
What it worked for me is to use regex (-re argument) and avoid using the characters [] in the expression:
expect -re "Do you want to log out"
It's also useful because if the output from the command is too long or dynamic, using static expression is limited.

How to understand Exim log file?

Can someone help me understand Exim log file, and also point me a great documentation about it's log.
LINE 1
2010-12-05 17:30:15 1PPKHn-0003mA-5w <= username=example.com.br--4219--bounce#mydomain.com.br H=myserver.com.br () [174.120.195.18] P=esmtpa A=dovecot_plain:email#e-mydomain.com.br S=3851 id=4cfbe84724135_7b201579466da9b433988131#myserver.com.br.tmail
LINE 2
2010-12-05 17:30:12 H=mydomain.com.br () [111.111.111.11] Warning: Sender rate 1455.2 / 1h
LINE 3
2010-12-05 17:30:12 1PPGo3-00010A-FL == super#domain.in R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host
Also, how can I parse Exim log file to know which ISP( eg. hotmail.com, gmail.com) is blocking my server IP?
Exim logs message arrivals and deliveries in a compact format, described here, in the online documentation. The log files are configurable so you can add or remove information using the log_selector option.