I'd say the logger doc is incomplete. Obviously, the value given via -t is just *the beginning of the tag* and logger itself adds PID after it to the tag. Problems like these were on our mind when we defined RFC 5424 with its PROGNAME field.
HTH Rainer El mié, 29 may 2024 a las 23:28, sacawulu via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > ok... > > but then... what's the use of being able to assign a tag with "logger -t > TAG" when that tag cannot be used later on to do something with it? > > syslogtag, isequal... is not meant as a logical duo with "logger -t"? > > More tomorrow. > > Goodnight! > > Op 29-05-2024 om 23:07 schreef Mariusz Kruk via rsyslog: > > See your logged event. You're matching against a string > > "intruder_lockout:" but your event is logged with a PID added to the > > progname so you have "intruder_lockout[xxxx]:" so your condition doesn't > > match. > > > > > > On May 29, 2024 12:51:41 PM UTC, cyusedfzfb via rsyslog > > <rsyslog@lists.adiscon.com> wrote: > > > > I have found that when using programname to match, it DOES work. > > > > Why would this line: > > > > logger -t intruder_lockout -p local4.info "this account is now > > locked out" > > > > not match when filtering to match syslogtag isequal > > "intruder_lockout"? > > > > Anyway...I am (finally) able to proceed. > > > > Still hope someone can explain the observed behaviour. > > > > MJ > > > > On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote: > > > > It's impossible to answer that without knowing your full config. > > My guess would be that your syslog.d contents are included at > > the end of the main config file and your event matches a > > different disposition first so it's matched to another action > > and the processing is stopped there not reaching your rule. > > > > On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote: > > > > Hi all! > > > > I am generating log messages from a script with a syslogtag, > > like this: > > > > ]# logger -t intruder_lockout -p local4.info "this account > > is now locked out" > > > > Next I'm trying to filter these logs, based on syslogtag to > > a seperate file. (on RHEL9, with rsyslogd 8.2102.0-117.el9 > > (aka 2021.02)) > > > > To do that, I created the configfile > > /etc/rsyslog.d/0_intruder_lockout_log.conf with this contents: > > > > :syslogtag, isequal, "intruder_lockout:" > > /var/log/intruder_lockout.log > > & stop > > > > But the logger messages continue to end-up in the regular > > /var/log/messages. > > > > My config file *is* processed: > > > > ]# rsyslogd -N1 -d | grep intruder > > > > 9648.534580052:main thread : rainerscript.c: PROPFILT > > 9648.534581695:main thread : rainerscript.c: > > Property.: 'syslogtag' > > 9648.534584550:main thread : rainerscript.c: > > Operation: 'isequal' > > 9648.534587716:main thread : rainerscript.c: > > Value....: 'intruder_lockout:' > > 9648.534589259:main thread : rainerscript.c: THEN > > 9648.534590852:main thread : rainerscript.c: ACTION 2 > > [builtin:omfile:/data/log/intruder_lockout.log] > > 9648.534593647:main thread : rainerscript.c: STOP > > 9648.534596272:main thread : rainerscript.c: END PROPFILT > > > > I have also disabled selinux for testing, just to make sure > > that is not getting in my way. > > > > Anyone here with some imput to help me on my way..? Why is > > this not working?! > > > > Thanks! > > > > ------------------------------------------------------------------------ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > <https://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/professional-services/ > > <http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > <https://twitter.com/rgerhards> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED > > by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE > > and DO NOT POST if you DON'T LIKE THAT. > > > > > > ------------------------------------------------------------------------ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > <https://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/professional-services/ > > <http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > <https://twitter.com/rgerhards> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by > > a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO > > NOT POST if you DON'T LIKE THAT. > > > > > > ------------------------------------------------------------------------ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > <https://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/professional-services/ > > <http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > <https://twitter.com/rgerhards> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST if you DON'T LIKE THAT. > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
