Re: [rsyslog] why is my config ignored

Wed, 29 May 2024 12:40:45 -0700 

Hi David (and Mariusz)

Thanks for the helpful suggestions!

I will try tomorrow and report back my findings.

Enjoy your evenings!

MJ

Op 29-05-2024 om 18:19 schreef David Lang:
log the message with the template RSYSLOG_DebugFormat so you can see all the details about how rsyslog is seeing the message.
I'm not sure if _ is valid as a syslog tag, but if the debug output shows that it's not being parsed into the tag field, try without that.
we really would need to see the complete log file (which includes all included files), if you start rsyslog with -o /path/to/file it will write the combine config file as it sees it into that file which makes it much easier to see how all the config snippets combine. 

David Lang


On Wed, 29 May 2024, cyusedfzfb via rsyslog wrote:


Date: Wed, 29 May 2024 14:51:41 +0200
From: cyusedfzfb via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: cyusedfzfb <cyusedf...@gmail.com>
Subject: Re: [rsyslog] why is my config ignored

I have found that when using programname to match, it DOES work.

Why would this line:
logger -t intruder_lockout -p local4.info "this account is now locked out" 
not match when filtering to match syslogtag isequal "intruder_lockout"?

Anyway...I am (finally) able to proceed.

Still hope someone can explain the observed behaviour.

MJ

On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
It's impossible to answer that without knowing your full config. My guess would be that your syslog.d contents are included at the end of the main config file and your event matches a different disposition first so it's matched to another action and the processing is stopped there not reaching your rule. 

On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:

Hi all!

I am generating log messages from a script with a syslogtag, like this:
]# logger -t intruder_lockout -p local4.info "this account is now locked out"
Next I'm trying to filter these logs, based on syslogtag to a seperate file. (on RHEL9, with rsyslogd  8.2102.0-117.el9 (aka 2021.02))
To do that, I created the configfile /etc/rsyslog.d/0_intruder_lockout_log.conf with this contents: 


:syslogtag, isequal, "intruder_lockout:" /var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular /var/log/messages. 

My config file *is* processed:

]# rsyslogd -N1 -d | grep intruder

9648.534580052:main thread    : rainerscript.c: PROPFILT
9648.534581695:main thread    : rainerscript.c:     Property.: 'syslogtag' 9648.534584550:main thread    : rainerscript.c:     Operation: 'isequal' 9648.534587716:main thread    : rainerscript.c:     Value....: 'intruder_lockout:' 
9648.534589259:main thread    : rainerscript.c: THEN
9648.534590852:main thread    : rainerscript.c:   ACTION 2 [builtin:omfile:/data/log/intruder_lockout.log] 
9648.534593647:main thread    : rainerscript.c:   STOP
9648.534596272:main thread    : rainerscript.c: END PROPFILT
I have also disabled selinux for testing, just to make sure that is not getting in my way.
Anyone here with some imput to help me on my way..? Why is this not working?! 

Thanks!

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. 
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. 
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. 
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to