[j-nsp] JunOS Syslog / Excluding Messages

O'Connor, Michael michael.oconnor at txstate.edu
Tue Jan 12 14:51:34 EST 2010


Many thanks,

Appears the following does the trick:
	match "!(.*rt_msg_handler.*|.*rt_entry_.*)";

Which ends up as: 

file messages {
    any notice;
    authorization info;
    match "!(.*RT-HAL,rt_msg_handler.*|.*RT-HAL,rt_entry_.*|.*RT_PFE: RT msg op.*)";
}

Somewhat helpful reference, but no complex examples:
	http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/syslog-messages/syslog-regular-expressions-usage-log-messages-refining.html

-Michael


-----Original Message-----
From: Richmond, Jeff [mailto:Jeff.Richmond at frontiercorp.com] 
Sent: Tuesday, January 12, 2010 11:55 AM
To: O'Connor, Michael; juniper-nsp at puck.nether.net
Subject: RE: JunOS Syslog / Excluding Messages

Michael, just for reference, I wanted to parse out RPM probe data out of messages and put into a separate file, and did it in a similar fashion. I did this a while back so I can't remember if I had to use a period in the regex or not, but depending on the message info, you certainly might need to.

    file messages {
        any any;
        authorization info;
        match "!(.*rmopd.*)";
    }
    file rpmtest.log {
        any any;    
        match .*rmopd.*;
    }              

 -Jeff
________________________________________
From: juniper-nsp-bounces at puck.nether.net [juniper-nsp-bounces at puck.nether.net] On Behalf Of O'Connor, Michael [michael.oconnor at txstate.edu]
Sent: Tuesday, January 12, 2010 8:00 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] JunOS Syslog / Excluding Messages

Greetings,

The following notifications have/had for some time filled my syslog messages file, and according to JTAC (after several cases) are kernel messages that can be ignored and were fixed in JunOS 10.x:

Nov 13 03:00:14  VC_2_Bottom /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed, err 5 (Invalid)
Nov 13 03:00:14  VC_2_Bottom fpc2 RT-HAL,rt_entry_add_msg_check,989: unknown vlan index 1
Nov 13 03:00:20  VC_2_Bottom fpc2 RT-HAL,rt_entry_add_msg_check,989: unknown vlan index 1
Nov 13 03:00:20  VC_2_Bottom /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed, err 5 (Invalid)
Nov 13 03:00:20  VC_2_Bottom /kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed, err 5 (Invalid)
Nov 13 03:00:20  VC_2_Bottom fpc3 RT-HAL,rt_entry_add_msg_check,989: unknown vlan index 1
Nov 13 03:00:22  VC_2_Bottom fpc2 RT-HAL,rt_entry_add_msg_check,989: unknown vlan index 1

Without the luxury or want of a code upgrade (due to buggy virtual-chassis code) I'm left with trying to parse the unwanted messages. (We're running code that is unaffected by the recently released security bulletin)

The following config line was provided by JTAC to alleviate those particular messages to no avail:
                #set system syslog file messages match <"!*RT-HAL,rt_msg_handler,403: route check failed* | *RT_PFE: RT msg* | *RT-HAL,rt_entry_add_msg_check*"

I've left the devices with the following configured, and thought I had resolved the problem until some planned maintenance that should have generated some log messages did not populate. Turns out this has killed any notifications to the file.

file messages {
    any notice;
    authorization info;
    match "<!*rt_msg_handler*|<!*rt_entry_add_msg_check*|<!*RT msg op*";
}

Curious if anyone can point me in the right direction with a regexp that will kill the unwanted messages, and/or if anyone has experienced similar issues.

Thanks,
Michael

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list