Hello Rainer, thank you for your super fast reply!
Your suggestion brought me a little further. If I search within $msg for "policyd-weight" then it works. It also works, if I use $rawmsg. You stated in your reply that the slash character separates the TAG from the CONTENT at the wrong position, right? I.e. "postfix" is the TAG and the rest "/policy-weightd[...." becomes the CONTENT ? I tried to test that: The filters if $msg startswith '/policyd-weight' then -/var/log/spam/policyd-weight_debug.log if $msg startswith 'policyd-weight' then -/var/log/spam/policyd-weight_debug.log don't work. I hope I didn't miss a service restart command, I am testing a lot... Maybe the $msg also contains $programname? I tried: if $msg startswith 'postfix/policyd-weight' then -/var/log/spam/policyd-weight_debug.log if $msg contains 'postfix/policyd-weight' then -/var/log/spam/policyd-weight_debug.log Both don't work either. I am little confused now. I could just use the one filter from above which is working, but I would like to understand why and how it is working or why not respectivley. Thank you and kind regards, Timo _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
