Hi Mariusz!
Thanks for your reply!
Here is (the beginning of) my /etc/rsyslog.conf:
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at
http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
#### MODULES ####
module(load="imuxsock" # provides support for local system logging
(e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log
socket;
# local messages are retrieved through
imjournal now.
module(load="imjournal" # provides access to the systemd
journal
UsePid="system" # PID nummber is retrieved as the ID of the
process the journal entry originates from
FileCreateMode="0644" # Set the access permissions for the
state file
StateFile="imjournal.state") # File to store the position in
the journal
#module(load="imklog") # reads kernel messages (the same are read from
journald)
#module(load="immark") # provides --MARK-- message capability
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
so the conf's are included fairly in the beginning of the file. I have
also renamed my config to "0_intruder_lockout_log.conf" to make sure
that it is parsed and applied in the beginning.
If you need the whole rsyslog.conf then I can also sanitize and share that.
The way the logger message looks in /var/log/messages is:
May 29 11:42:35 hostname intruder_lockout[3375736]: test123456
Any more info required, please ask!
Again, appreciated the reply!
MJ
On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
It's impossible to answer that without knowing your full config. My
guess would be that your syslog.d contents are included at the end of
the main config file and your event matches a different disposition
first so it's matched to another action and the processing is stopped
there not reaching your rule.
On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:
Hi all!
I am generating log messages from a script with a syslogtag, like this:
]# logger -t intruder_lockout -p local4.info "this account is now
locked out"
Next I'm trying to filter these logs, based on syslogtag to a
seperate file. (on RHEL9, with rsyslogd 8.2102.0-117.el9 (aka 2021.02))
To do that, I created the configfile
/etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:
:syslogtag, isequal, "intruder_lockout:" /var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular
/var/log/messages.
My config file *is* processed:
]# rsyslogd -N1 -d | grep intruder
9648.534580052:main thread : rainerscript.c: PROPFILT
9648.534581695:main thread : rainerscript.c: Property.:
'syslogtag'
9648.534584550:main thread : rainerscript.c: Operation: 'isequal'
9648.534587716:main thread : rainerscript.c: Value....:
'intruder_lockout:'
9648.534589259:main thread : rainerscript.c: THEN
9648.534590852:main thread : rainerscript.c: ACTION 2
[builtin:omfile:/data/log/intruder_lockout.log]
9648.534593647:main thread : rainerscript.c: STOP
9648.534596272:main thread : rainerscript.c: END PROPFILT
I have also disabled selinux for testing, just to make sure that is
not getting in my way.
Anyone here with some imput to help me on my way..? Why is this not
working?!
Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
