normally the logs would appear in the main /var/log/messages as well as other
files (unless you have a stop command somewhere in your configs)
we would need to see your full combined config, you can generate this by
starting rsyslog with -o /path/to/file
the other thing to do is to log the messages with the template
RSYSLOG_DebugFormat so you can see exactly how the log is being parsed in case
it's showing something different than you expect
also note that a Feb 2021 release is getting pretty old at this point. But your
problem is unlikely to be a code bug and instead is probably a config bug
David Lang
On Sun, 3 Nov 2024, Chris Jenkins via rsyslog wrote:
Date: Sun, 3 Nov 2024 11:17:20 +0000
From: Chris Jenkins via rsyslog <rsyslog@lists.adiscon.com>
To: Rsyslog mailing list <rsyslog@lists.adiscon.com>
Cc: Chris Jenkins <chris.d.jenk...@icloud.com>
Subject: [rsyslog] Problem with filtering by IP address
I'm having some problems filtering syslog messages based on the originating Ip
address. I've read the docs and tried the troubleshooting but everything
appears to be fine other than it not working!
I'm running Oracle Linux 8 which includes rsyslogd 8.2102.0-15.el8 (aka
2021.02). I have some WiFi APs that send their syslog records to this system
and I want to filter out all messages from each AP to a separate log file.
Other than the system default configuration, I have only the following
additional directives in /etc/rsyslog.d/wifi.conf.
:fromhost-ip,isequal,"10.0.200.12" /nfssyslog/wifi7u/wifi7u.log
:fromhost-ip,isequal,"10.0.200.13" /nfssyslog/wifi7dl/wifi7dl.log
:fromhost-ip,isequal,"10.0.200.14" /nfssyslog/wifi7db/wifi7db.log
These are included (by the default directive) before any other filters etc.
Debugging shows that this file is being picked up and the directives processed.
SELinux is disabled and root is able to read and write to the target locations.
However, messages from the APs are appearing in the main /var/log/messages file
instead of the separate files. Here is an example of one such message.
Nov 3 10:57:27 10.0.200.12 [1730631444.907409388] AP MAC=20:36:26:d0:93:80 MAC
SRC=74:42:18:5f:a5:0f#015#012[1730631445.463578180] AP MAC=20:36:26:d0:93:80
MAC SRC=74:42:18:5f:a5:0f#015#012[1730631446.585732055] AP
MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631446.585792680]
AP MAC=20:36:26:d0:93:80 MAC
SRC=10:00:20:5b:4e:86#015#012[1730631446.590326139] AP MAC=20:36:26:d0:93:80
MAC SRC=10:00:20:5b:4e:86#015#012[1730631446.596077389] AP
MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.109761180]
AP MAC=20:36:26:d0:93:80 MAC
SRC=10:00:20:5b:4e:86#015#012[1730631447.214155306] AP MAC=20:36:26:d0:93:80
MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.465093264] AP
MAC=20:36:26:d0:93:80 MAC SRC=10:00:20:5b:4e:86#015#012[1730631447.467123889]
AP MAC=20:36:26:d0:93:80 MAC
SRC=10:00:20:5b:4e:86#015#012[1730631447.634071972] AP MAC=20:36:26:d0:93:80
MAC SRC=10:00:20:5b:4e:86#015
I'd appreciate any suggestions as to what the problem might be, or how to debug
thsi further.
Thanks,
Chris
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
