rsyslog

The rocket-fast system for log processing

AWS rsyslog – Message Drop Filter

The rsyslog message drop filter feature allows you to delete unwanted messages by hostname and tag. This filtering capability is always enabled and can be easily configured by updating a simple JSON file.

To modify the drop rules, follow these steps:

  1. Log in to the instance where the rsyslog application is installed.
  2. Navigate to the configuration folder located at /opt/rsyslog/config.
  3. Use your preferred text editor (such as nano) to open the file named “drop_by_host_tag.lt”. Note: You will need root permissions to edit this file (for example, you can use the command “sudo nano drop_by_host_tag.lt“).
  4. Make the necessary changes to the file based on your filtering requirements.

The sample file looks as follows:

{ "version" : 1,
  "nomatch" : "0",
  "type" : "string",
  "table" : [
    {"index" : "localhost dropme", "value" : "1" },
    {"index" : "localhost drop-me", "value" : "1" }
  ]
}

The parts in italics are the actual filters and the parts in bold are the data filtered against.

When configuring filters for the “message drop filter” class in rsyslog, it’s important to understand that each filter consists of two parts: the hostname and the tag.

The first part specifies the hostname to filter for (for example, “localhost”). It’s crucial to note that there should be exactly one space character separating the hostname and the tag. If no space character is given or more than one space is given, the filter will not match any messages.

The second part specifies the message’s syslog tag (for example, “dropme”). It’s essential to keep in mind that neither the hostname nor the tag can contain spaces or any other whitespace characters. This is because such characters are not permitted in hostnames and tags by the relevant RFC, and as such, they will never occur.

If spaces are included, the filter will not match any messages, rendering it ineffective. To ensure that your “message drop filter” class filters work properly, make sure to avoid using spaces or any other whitespace characters in your hostname or tag.

It’s important to note that neither the hostname nor tag can contain any spaces or other whitespace characters. This is because such chaspaces or any other whitespace characters in your hostname or tag.

When done editing the file, ensure that each “index” line except the last one ends with a comma. After saving, you can also do a check of the overall configuration by running “rsyslogd -N1” on the command line. Please note that rsyslogd must be sent a HUP to activate the changes.

In later stages of the beta build process, we will at least partly automate the post-edit check and activation procedures.

Back to aws rsyslog overview.

Scroll to top