ok I found the issue. I changed the part: $msg contains "~ http_back/" to $msg contains "http_back"
and it works :) Have a nice day! Le mar. 22 sept. 2020 à 23:39, Venizia <[email protected]> a écrit : > What do you mean exactly? > > Le mar. 22 sept. 2020 à 21:35, David Lang <[email protected]> a écrit : > >> what does the debugformat version of the log look like? >> >> >> On Tue, 22 Sep 2020, Venizia via rsyslog wrote: >> >> > Date: Tue, 22 Sep 2020 18:19:48 +0200 >> > From: Venizia via rsyslog <[email protected]> >> > To: [email protected] >> > Cc: Venizia <[email protected]> >> > Subject: Re: [rsyslog] Centos 7 - Splitting rsyslog messages to >> different log >> > files >> > >> > Thx David. >> > >> > it looks like the programname variable is not set: >> > >> > 1031.909509937:imudp.c : recv(4,236),acl:1,msg:<134>Sep 22 >> 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - 62528 - >> [22/Sep/2020:18:10:28.654] - https_front~ - http_back/albus - {website} - >> 200 - "GET /files/2016/03/Bar-gros-sel_5-495x400.jpg HTTP/1.1" >> > >> > 1031.909523552:imudp.c : msg parser: flags 70, from >> '~NOTRESOLVED~', msg '<134>Sep 22 18:10:31 haproxy[30548]: IP:XX.XX.XX.XX - >> 6252' >> > >> > Is this due to the format of the log? >> > >> > Thx! >> > >> > Le 22/09/20 10:12, « David Lang » <[email protected]> a écrit : >> > >> > write logs with the template RSYSLOG_DebugFormat and look at the >> result. I'd bet >> > that the programname isn't what you expect, or that your first >> filter is >> > matching everything that your second would, and since you stop >> processing logs >> > that match the first filter, nothing is left to match the second one. >> > >> > David Lang >> > >> > On Tue, 22 >> > Sep 2020, Venizia via rsyslog wrote: >> > >> > > Date: Tue, 22 Sep 2020 08:32:04 +0200 >> > > From: Venizia via rsyslog <[email protected]> >> > > To: [email protected] >> > > Cc: Venizia <[email protected]> >> > > Subject: [rsyslog] Centos 7 - Splitting rsyslog messages to >> different log >> > > files >> > > >> > > Hello ! >> > > >> > > >> > > >> > > On a centos 7, I got haproxy. I would like to split the logs from >> haproxy to different log files. So in /etc/rsyslog.d, I have created the >> following: >> > > >> > > >> > > >> > > # Collect log with UDP >> > > >> > > $ModLoad imudp >> > > >> > > $UDPServerAddress 127.0.0.1 >> > > >> > > $UDPServerRun 514 >> > > >> > > >> > > >> > > # Creating separate log files based on the severity >> > > >> > > local0.notice /var/log/haproxy-admin.log >> > > >> > > & stop >> > > >> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then >> /var/log/haproxy/wp1.log >> > > >> > > & stop >> > > >> > > local0.* /var/log/haproxy-traffic.log >> > > >> > > & stop >> > > >> > > >> > > >> > > >> > > >> > > I should so get 3 differents files: >> > > haproxy-admin.log with all notice messages >> > > wp1.log with all messages containing ‘http_back’ in it >> > > haproxy-traffic with the rest of messages >> > > >> > > >> > > But I only get the first and the third one. I guess that there is >> a mistake in the line: >> > > >> > > if $programname == 'haproxy' and $msg contains "~ http_back/" then >> /var/log/haproxy/wp1.log >> > > >> > > >> > > >> > > I am not so familiar with rsyslog (that’s the first time I am >> trying to do such a thing) so I do not know how I could check the content >> of the 2 variables: $programname and $msg. >> > > >> > > Any advice on that? >> > > >> > > >> > > >> > > Thx in advance! >> > > >> > > Lydie >> > > >> > > _______________________________________________ >> > > rsyslog mailing list >> > > https://lists.adiscon.net/mailman/listinfo/rsyslog >> > > http://www.rsyslog.com/professional-services/ >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you DON'T LIKE THAT. >> > >> > >> > _______________________________________________ >> > rsyslog mailing list >> > https://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
