I think that RFC3164 tells that a slash terminates the program name (or something along these lines). You may want to check not for theprogram name, but for the actual tag value (which starts with the program name). I guess that will solve the issue.
Rainer > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > boun...@lists.adiscon.com] On Behalf Of Timo Veith > Sent: Thursday, February 10, 2011 10:30 AM > To: rsyslog@lists.adiscon.com > Subject: [rsyslog] filtering programname with slashes problem? > > Hello rsyslog list readers, > > I have found that I can not use a filter with the programname property > when the string contains a slash. Has somebody made the same > experience? > > My setup is a debian squeeze box, with almost default settings and I > want to have a separate log for policyd-weight messages. > Here is a example line out of mail.log: > > Feb 10 09:21:32 mx1 postfix/policyd-weight[3161]: weighted check: > NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 > HELO_IP_IN_CL_SUBNET=-1.2 (check from: .rediffmail. - helo: > .rediffmail. - helo-domain: .rediffmail.) > FROM/MX_MATCHES_HELO(DOMAIN)=-2 IN_ABUSE_RFCI=0.1; > <client=202.137.235.243> <helo=rediffmail.com> > <from=vancouver_seafo...@rediffmail.com> <to=u...@my-dom.de>; rate: > -7.6 > > I tried these filter statements: > > if $programname contains 'postfix/policyd-weight' and \ > $msg contains 'decided action=550' then -/var/log/spam/policyd- > weight.log > > if $programname contains 'policyd-weight' and \ > $msg contains 'decided action=550' then -/var/log/spam/policyd- > weight.log > > if $programname contains 'policyd' then -/var/log/spam/policyd- > weight_debug.log > > :programname, regex, ".*policyd.*" -/var/log/spam/policyd- > weight_debug.log > > None of them work. > > This one works: > > if $msg contains 'decided action=' or \ > $msg contains 'weighted check' then -/var/log/spam/policyd- > weight_debug.log > > But it doesn't catch all policyd-weight messages. > > Am I going wrong somewhere? Any ideas? > > Kind regards, > Timo > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
