Scribe Where is the routers source/original unfiltered syslog

[Weblee2407]

I have set up several filters to extract certain messages from the syslog. I want to see those events in context but cannot locate the original syslog file that is parsed by Scribe. Can anyone give me a pointer?

 

[cmkelley]

I have set up several filters to extract certain messages from the syslog. I want to see those events in context but cannot locate the original syslog file that is parsed by Scribe. Can anyone give me a pointer?

There is none. syslog or syslog-ng is the facility that parses the log messages from the kernel, programs, etc. into a file (syslogd) or files (syslog-ng). You would need to create a filter similar to the A00remote filter in /opt/share/syslog-ng/examples to pass every entry to a single file but not mark it as final. Name it so it's the first one read e.g. A01local_all or something like that so no entries are stripped out before it get to that one, since they are loaded (and therefore parsed) in alpha-numeric order. You'd need a logrotate file for as well.

Just as matter of completeness, scribe itself doesn't parse any log messages. scribe only installs syslog-ng and logrotate, and adds some system hooks to ensure syslogd and klogd are killed if / when they get started.

 

[Weblee2407]

Thank you for the information.

 

[elorimer]

I assume you are separating out these particular messages into their own files but want to go back and see in the whole raw sequence what surrounds them. If you wanted to, you could define a template for those particular messages and add some text that highlights them as they are written to that raw file; something like "--->" before each message. Or you could write them that way to messages and use that as the raw sequence rather than the balance of what hasn't been extracted.