1. Do those log end up _somewhere_? (some default destination)
2. Are you sure that rsyslog actually gets those events? (tcpdump can still show UDP packets on the wire even if they are filtered out by local firewall (or rp_filter assuming you're running linux)).
3. I'm not familiar with the question mark syntax, but you have "firepower_systemevents" there. Even assuming it should be a name of the template, you have your template defined as "systemevents".
On 6.08.2024 10:53, Gundlapally, Navanitha via rsyslog wrote:
Hi Team, I've been using rsyslog extensively for our daily operations, but today I ran into an issue where the rsyslog template is not getting applied to logs from specific devices. I verified that logs are received from these devices using tcpdump, and I created a basic template to store logs coming from the specified IP addresses. However, it still isn't working. I enabled debug logging to check for any errors, but there was nothing relevant in the debug file, likely because rsyslog isn't able to read those logs. Can you help me understand what's going wrong? My template - $template systemevents,"/var/syslog/rsyslog/Systemevents/%fromhost-ip%/messages_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" if ($fromhost-ip startswith '1.10.5.2' or $fromhost startswith 'Cxxxxxx1' or $msg contains Cxxxxxxx1') then ?firepower_systemevents Regards Navanitha Gundlapally | Team Manager | BISG Security Monitoring | Broadridge Financial Solutions (India) Private Limited Adjacent to Cyber Towers, Hi-Tec City, Madhapur | Hyderabad 500081 Telangana | India | m +91 +918790032574 This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
