It's impossible to answer that without knowing your full config. My
guess would be that your syslog.d contents are included at the end of
the main config file and your event matches a different disposition
first so it's matched to another action and the processing is stopped
there not reaching your rule.
On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:
Hi all!
I am generating log messages from a script with a syslogtag, like this:
]# logger -t intruder_lockout -p local4.info "this account is now
locked out"
Next I'm trying to filter these logs, based on syslogtag to a seperate
file. (on RHEL9, with rsyslogd 8.2102.0-117.el9 (aka 2021.02))
To do that, I created the configfile
/etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:
:syslogtag, isequal, "intruder_lockout:" /var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular
/var/log/messages.
My config file *is* processed:
]# rsyslogd -N1 -d | grep intruder
9648.534580052:main thread : rainerscript.c: PROPFILT
9648.534581695:main thread : rainerscript.c: Property.: 'syslogtag'
9648.534584550:main thread : rainerscript.c: Operation: 'isequal'
9648.534587716:main thread : rainerscript.c: Value....:
'intruder_lockout:'
9648.534589259:main thread : rainerscript.c: THEN
9648.534590852:main thread : rainerscript.c: ACTION 2
[builtin:omfile:/data/log/intruder_lockout.log]
9648.534593647:main thread : rainerscript.c: STOP
9648.534596272:main thread : rainerscript.c: END PROPFILT
I have also disabled selinux for testing, just to make sure that is
not getting in my way.
Anyone here with some imput to help me on my way..? Why is this not
working?!
Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
