Hello,
I am trying to create a complex filter that will discard messages from a device and ports. For example
router name: "c-office-chg1"
Ports: "FastEthernet1/0/1" "FastEthernet1/0/2" "FastEthernet1/0/3"
and it seems not to be working.
Can you provide an example of the message that Kiwi is receiving? Also, post what you’re typing into the Include/Exclude filters.
If you could explain what it’s currently doing, that might also help someone determine what the problem is. Is it just not filtering out the messages you want it to? Or is it filtering out everything instead? Etc…
The syslog file on the machine running kiwisyslog shows:
2014-06-30 14:04:25 Local7.Notice c-office-chg1 7285: Jun 30 14:04:21.357 CSD: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
2014-06-30 14:04:28 Local7.Error c-office-chg1 7286: Jun 30 14:04:22.355 CSD: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
It's not filtering out the message or as I explained discarding the message.
I apologize, I was responding via E-mail and didn't notice the image link. I have to log in to view them. Your filter seems fine compared with the syslog message sample you provided.
Do you have any other filters in the same rule? And if so, what type? Screenshots for those would be helpful.
No I don't have any other filters on the same rule but you did give me an idea. I created 2 filters. 1 for the hostname and 1 for the ports and the action is to discard it. I will test and let you know if it worked.
That might make a difference, but it shouldn’t.
The reason I asked about other filters is because Include filters exclude everything else, and Exclude filters include everything else. It always seemed a little backwards to me, and I’ve seen others on the forums that get confused by the way it works.
If you didn’t have any other filters on that rule though, I’m not sure why it wasn’t working. It looks like it should work based on the screenshots you provided and your sample message. The only other thing I could think of is perhaps a previous rule that either stops processing the messages, or handles the messages in the same way that your using to verify that your current rule is not working.
So this has been tested and it worked!!! So the rule has 2 filters. 1 for the hostname and 1 for the port. It discards the message and writes it on a txt file for me. Thanks for your help.
Well You’re welcome, but I didn’t really help.
Your first rule should have worked, the complex filter is essentially read as:
Include (“” OR “” OR “” OR “”) AND (“” OR “” OR “” OR “”)
At least that’s my understanding of it and how I’ve seen it work.
