what does the debugformat version of the log look like?
On Tue, 22 Sep 2020, Venizia via rsyslog wrote:
Date: Tue, 22 Sep 2020 18:19:48 +0200 From: Venizia via rsyslog <[email protected]> To: [email protected] Cc: Venizia <[email protected]> Subject: Re: [rsyslog] Centos 7 - Splitting rsyslog messages to different log files Thx David. it looks like the programname variable is not set: 1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 - [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} - 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1" 1031.909523552:imudp.c : msg parser: flags 70, from '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 6252' Is this due to the format of the log? Thx! Le 22/09/20 10:12, « David Lang » <[email protected]> a écrit : write logs with the template RSYSLOG_DebugFormat and look at the result. I'd bet that the programname isn't what you expect, or that your first filter is matching everything that your second would, and since you stop processing logs that match the first filter, nothing is left to match the second one. David Lang On Tue, 22 Sep 2020, Venizia via rsyslog wrote: > Date: Tue, 22 Sep 2020 08:32:04 +0200 > From: Venizia via rsyslog <[email protected]> > To: [email protected] > Cc: Venizia <[email protected]> > Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to different log > files > > Hello ! > > > > On a centos 7, I got haproxy. I would like to split the logs from haproxy to different log files. So in /etc/rsyslog.d, I have created the following: > > > > # Collect log with UDP > > $ModLoad imudp > > $UDPServerAddress 127.0.0.1 > > $UDPServerRun 514 > > > > # Creating separate log files based on the severity > > local0.notice /var/log/haproxy-admin.log > > & stop > > if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log > > & stop > > local0.* /var/log/haproxy-traffic.log > > & stop > > > > > > I should so get 3 differents files: > haproxy-admin.log with all notice messages > wp1.log with all messages containing ‘http_back’ in it > haproxy-traffic with the rest of messages > > > But I only get the first and the third one. I guess that there is a mistake in the line: > > if $programname == 'haproxy' and $msg contains "~ http_back/" then /var/log/haproxy/wp1.log > > > > I am not so familiar with rsyslog (that’s the first time I am trying to do such a thing) so I do not know how I could check the content of the 2 variables: $programname and $msg. > > Any advice on that? > > > > Thx in advance! > > Lydie > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
