Skip to main content

Hello,

I noticed a strange thing maybey anyone can explain.

I have 3 syslog sources: syslog:514: ,syslog:51402: and syslog:51403:

Three routes for these sources, each with a different pipeline attached. The order off the routes are 514 then 51402 and at last 51403.

The filter in de routes are

__inputId.startsWith('syslog:514:') &&  __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51402:') && __srcIpPort.includes('10.10.1.112')

__inputId.startsWith('syslog:51403:')&&  __srcIpPort.includes('10.10.1.112')

(same host with different syslog outputs)

In this order the 514 port gets a load off events, the 51402 lesser and teh 51403 nothing. That surpised me because when a check the source side i can capture 51403 events from this sourceip.

For test i moved the 514 route after the 51403 route. Just a feeling. but what??.. the 51403 gets suddenly l the events it was missing.

And here it gets strange. Just as if the 514 filter takes al the events from the 51403. But why didn't it take the events from the 51402? And to make it stranger, the events from the 51403 where nowhere to be found.

Is it the filter? Is it a bug ( version 4.8.2), maybey it is solved in 4.9?

Anybody an answer?

Greetings

Jari

You didn't let us know which, if any, routes have the Final flag checked. That will impact the way the data flows.

It sounds like 514 route is matching events it shouldn't - take a closer look at the inputIds and filters - for example make sure there is a trailing : on the 514 source, and make sure all the incoming events match it.

Test using different filters - e.g. .match(^syslog:514[^0]) and see if you can get the same behaviour.

The 514: route is indeed final. Also the 51402 and the 51403 routes.

Every filter has a trailing : so as far as i know this is the right way.

At this moment it is solved by changing the order, but i am curious what it is. It doesn't make sense it filters the 51403 but not the 51402.. plus why does it filter after all.. only 514: is needed.

I did check other workergroups and routes but luckely this is the only one with this combination.

Can you provide a screencap of your configuration?

935_502983f9b888434da390d8c95c42ed48.png

I have erased specific parts for security. It is about 14, 16 and 18.

EDIT: I see you have groupings in place

One pro tip: I prefer using the fields definition in the input config to define a field that you can filter on.

Reply


Terms & ConditionsCookie settings