If I simply search for “%SYS-5-CONFIG_I:” I get results which seem like logs from Elasticsearch and MongoDB, see below. The syslog I am interested in is listed after the Elasticsearch and MongoDB logs. I have been able to eliminate these extra logs by changing my search to “%SYS-5-CONFIG_I:” AND NOT (source:elasticsearch OR source:mongodb)
Is there a way to set a default to eliminate the Elasticsearch and MongoDB logs? Not sure why this is happening.
Thnak You,
Ex: form Elasticsearch:
Caused by: org.apache.lucene.queryparser.classic.ParseException: Cannot parse '%SYS-5-CONFIG_I:':
Encountered "<EOF>" at line 1, column 16.
message
2018-04-23T09:17:20.794-0400 I COMMAND [conn8] command graylog.$cmd command: update { update: "saved_searches", ordered: true, updates: [ { q: { _id: ObjectId('5adddce0d0ac29033714a614') }, u: { creator_user_id: "admin", created_at: new Date(1524489440495), title: "Configured from console by", query: { rangeType: "relative", fields: "message,source", relative: 432000, query: ""%SYS-5-CONFIG_I:" AND NOT source:elasticsearch" }, _id: ObjectId('5adddce0d0ac29033714a614') }, upsert: true } ] } numYields:0 reslen:110 locks:{ Global: { acquireCount: { r: 3, w: 3 } }, Database: { acquireCount: { w: 2, W: 1 } }, Collection: { acquireCount: { w: 2 } } } protocol:op_query 178ms