在下面的系统日志消息列表中:
# tail -9 /var/log/messages
Oct 9 14:15:39 machine1 puppet-agent[14371]: Finished catalog run in 6.68 seconds
Oct 9 14:45:31 machine1 puppet-agent[12234]: The package type's allow_virtual parameter will be changing its default value from false to true in a future release. If you do not want to allow virtual packages, please explicitly set allow_virtual to false.
Oct 9 14:45:31 machine1 puppet-agent[100174]: (at /usr/share/ruby/vendor_ruby/puppet/type.rb:816:in `set_default')
Oct 9 14:45:32 machine1 auditd[1084]: Audit daemon rotating log files
Oct 9 14:45:37 machine1 puppet-agent[100174]: Finished catalog run in 5.71 seconds
Oct 9 15:15:30 machine1 puppet-agent[102964]: The package type's allow_virtual parameter will be changing its default value from false to true in a future release. If you do not want to allow virtual packages, please explicitly set allow_virtual to false.
Oct 9 15:15:30 machine1 puppet-agent[102964]: (at /usr/share/ruby/vendor_ruby/puppet/type.rb:816:in `set_default')
Oct 9 15:15:37 machine1 puppet-agent[102964]: Finished catalog run in 6.31 seconds
Oct 9 15:21:17 machine1 su: (to root) user1 on pts/0
示例标签是puppet-agent[14371],auditd[1084]等等su...
根据标签过滤系统日志消息没有进程id,我们使用program过滤器,如下图:
filter tag_based{ program(puppet_agent); };
但是,每一个标签可能是也可能不是根据上面的消息附加了 processid。
如何过滤附加/不附加进程ID的标签?