I'm having some problems filtering syslog messages based on the originating Ip address. I've read the docs and tried the troubleshooting but everything appears to be fine other than it not working!
I'm running Oracle Linux 8 which includes rsyslogd 8.2102.0-15.el8 (aka 2021.02). I have some WiFi APs that send their syslog records to this system and I want to filter out all messages from each AP to a separate log file. Other than the system default configuration, I have only the following additional directives in /etc/rsyslog.d/wifi.conf. :fromhost-ip,isequal,"10.0.200.12" /nfssyslog/wifi7u/wifi7u.log :fromhost-ip,isequal,"10.0.200.13" /nfssyslog/wifi7dl/wifi7dl.log :fromhost-ip,isequal,"10.0.200.14" /nfssyslog/wifi7db/wifi7db.log These are included (by the default directive) before any other filters etc. Debugging shows that this file is being picked up and the directives processed. SELinux is disabled and root is able to read and write to the target locations. However, messages from the APs are appearing in the main /var/log/messages file instead of the separate files. Here is an example of one such message. Nov 3 10:57:27 10.0.200.12 [1730631444.907409388] AP MAC=20:36:26:d0:93:80 MAC SRC=74:42:18:5f:a5:0f#015#012[1730631445.463578180] AP MAC=20:36:26:d0:93:80 MAC SRC=74:42:18:5f:a5:0f#015#012[1730631446.585732055] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631446.585792680] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631446.590326139] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631446.596077389] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.109761180] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.214155306] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.465093264] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.467123889] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.634071972] AP MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015 I'd appreciate any suggestions as to what the problem might be, or how to debug thsi further. Thanks, Chris _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
