it can be matched, it's just not what you thought it was.
log with the RSYSLOG_DebugFormat template and you will see what $syslogtag
contains.
David Lang
On Wed, 29 May 2024, sacawulu via rsyslog wrote:
ok...
but then... what's the use of being able to assign a tag with "logger -t
TAG" when that tag cannot be used later on to do something with it?
syslogtag, isequal... is not meant as a logical duo with "logger -t"?
More tomorrow.
Goodnight!
Op 29-05-2024 om 23:07 schreef Mariusz Kruk via rsyslog:
See your logged event. You're matching against a string
"intruder_lockout:" but your event is logged with a PID added to the
progname so you have "intruder_lockout[xxxx]:" so your condition doesn't
match.
On May 29, 2024 12:51:41 PM UTC, cyusedfzfb via rsyslog
<rsyslog@lists.adiscon.com> wrote:
I have found that when using programname to match, it DOES work.
Why would this line:
logger -t intruder_lockout -p local4.info "this account is now
locked out"
not match when filtering to match syslogtag isequal
"intruder_lockout"?
Anyway...I am (finally) able to proceed.
Still hope someone can explain the observed behaviour.
MJ
On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:
It's impossible to answer that without knowing your full config.
My guess would be that your syslog.d contents are included at
the end of the main config file and your event matches a
different disposition first so it's matched to another action
and the processing is stopped there not reaching your rule.
On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:
Hi all!
I am generating log messages from a script with a syslogtag,
like this:
]# logger -t intruder_lockout -p local4.info "this account
is now locked out"
Next I'm trying to filter these logs, based on syslogtag to
a seperate file. (on RHEL9, with rsyslogd 8.2102.0-117.el9
(aka 2021.02))
To do that, I created the configfile
/etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:
:syslogtag, isequal, "intruder_lockout:"
/var/log/intruder_lockout.log
& stop
But the logger messages continue to end-up in the regular
/var/log/messages.
My config file *is* processed:
]# rsyslogd -N1 -d | grep intruder
9648.534580052:main thread : rainerscript.c: PROPFILT
9648.534581695:main thread : rainerscript.c:
Property.: 'syslogtag'
9648.534584550:main thread : rainerscript.c:
Operation: 'isequal'
9648.534587716:main thread : rainerscript.c:
Value....: 'intruder_lockout:'
9648.534589259:main thread : rainerscript.c: THEN
9648.534590852:main thread : rainerscript.c: ACTION 2
[builtin:omfile:/data/log/intruder_lockout.log]
9648.534593647:main thread : rainerscript.c: STOP
9648.534596272:main thread : rainerscript.c: END PROPFILT
I have also disabled selinux for testing, just to make sure
that is not getting in my way.
Anyone here with some imput to help me on my way..? Why is
this not working?!
Thanks!
------------------------------------------------------------------------
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
<https://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services/
<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
<https://twitter.com/rgerhards>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
and DO NOT POST if you DON'T LIKE THAT.
------------------------------------------------------------------------
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
<https://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services/
<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
<https://twitter.com/rgerhards>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST if you DON'T LIKE THAT.
------------------------------------------------------------------------
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
<https://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/professional-services/
<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
<https://twitter.com/rgerhards>
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
