timo, more in depth later, but maybe this helps: fields stem back to RFC3164/5424: so the tag is NOT part of msg! tag is the full beast "blub[4711]" whereas programname is just the process name "blub". I think if you use syslogtag (check property replacer doc if that is the right name!) instead of programname should work. The appendix in RFC5424 (I think A) has information on the mapping of legacy tags to programname.
HTH rainer > -----Original Message----- > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog- > boun...@lists.adiscon.com] On Behalf Of Timo Veith > Sent: Thursday, February 10, 2011 12:26 PM > To: rsyslog-users > Subject: Re: [rsyslog] filtering programname with slashes problem? > > Hello Rainer, > > thank you for your super fast reply! > > Your suggestion brought me a little further. If I search within $msg > for "policyd-weight" then it works. It also works, if I use $rawmsg. > > You stated in your reply that the slash character separates the TAG > from the CONTENT at the wrong position, right? > > I.e. "postfix" is the TAG and the rest "/policy-weightd[...." becomes > the CONTENT ? > > I tried to test that: > > The filters > > if $msg startswith '/policyd-weight' then > -/var/log/spam/policyd-weight_debug.log > if $msg startswith 'policyd-weight' then -/var/log/spam/policyd- > weight_debug.log > > don't work. I hope I didn't miss a service restart command, I am > testing a lot... > > Maybe the $msg also contains $programname? > I tried: > > if $msg startswith 'postfix/policyd-weight' then > -/var/log/spam/policyd-weight_debug.log > if $msg contains 'postfix/policyd-weight' then > -/var/log/spam/policyd-weight_debug.log > > Both don't work either. > > I am little confused now. I could just use the one filter from above > which is working, but I would like to understand why and how it is > working or why not respectivley. > > Thank you and kind regards, > Timo > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
