log the message with the template RSYSLOG_DebugFormat so you can see all the
details about how rsyslog is seeing the message.
I'm not sure if _ is valid as a syslog tag, but if the debug output shows that
it's not being parsed into the tag field, try without that.
we really would need to see the complete log file (which includes all included
files), if you start rsyslog with -o /path/to/file it will write the combine
config file as it sees it into that file which makes it much easier to see how
all the config snippets combine.
David Lang
On Wed, 29 May 2024, cyusedfzfb via rsyslog wrote:
Date: Wed, 29 May 2024 14:51:41 +0200
From: cyusedfzfb via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: cyusedfzfb <cyusedf...@gmail.com>
Subject: Re: [rsyslog] why is my config ignored
I have found that when using programname to match, it DOES work.
Why would this line:
logger -t intruder_lockout -p local4.info "this account is now locked
out"
not match when filtering to match syslogtag isequal "intruder_lockout"?
Anyway...I am (finally) able to proceed.
Still hope someone can explain the observed behaviour.
MJ
On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
It's impossible to answer that without knowing your full config. My
guess would be that your syslog.d contents are included at the end of
the main config file and your event matches a different disposition
first so it's matched to another action and the processing is stopped
there not reaching your rule.
On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:
Hi all!
I am generating log messages from a script with a syslogtag, like this:
]# logger -t intruder_lockout -p local4.info "this account is now
locked out"
Next I'm trying to filter these logs, based on syslogtag to a
seperate file. (on RHEL9, with rsyslogd 8.2102.0-117.el9 (aka 2021.02))
To do that, I created the configfile
/etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:
:syslogtag, isequal, "intruder_lockout:" /var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular
/var/log/messages.
My config file *is* processed:
]# rsyslogd -N1 -d | grep intruder
9648.534580052:main thread : rainerscript.c: PROPFILT
9648.534581695:main thread : rainerscript.c: Property.:
'syslogtag'
9648.534584550:main thread : rainerscript.c: Operation: 'isequal'
9648.534587716:main thread : rainerscript.c: Value....:
'intruder_lockout:'
9648.534589259:main thread : rainerscript.c: THEN
9648.534590852:main thread : rainerscript.c: ACTION 2
[builtin:omfile:/data/log/intruder_lockout.log]
9648.534593647:main thread : rainerscript.c: STOP
9648.534596272:main thread : rainerscript.c: END PROPFILT
I have also disabled selinux for testing, just to make sure that is
not getting in my way.
Anyone here with some imput to help me on my way..? Why is this not
working?!
Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
