Hi, could you run it in debug mode and post the relevant part of a log message being processed? I guess that %programname% gets some weird value...
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Jan-Frode Myklebust > Sent: Wednesday, January 27, 2010 1:43 PM > To: [email protected] > Subject: [rsyslog] filtering postfix/smtpd > > I'm drowning in logs from postfix/smtpd, and need to filter these > messages out to a separate file. The maillog looks something like: > > Jan 27 13:34:02 asav5.example.net postfix/lmtp[31977]:: 53843908E2: > to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10020, delay=0.54, > delays=0.03/0.33/0.01/0.49, dsn=2.0.0, status=sent (250 2.0.0 Ok: > queued as 249FB906AD) > Jan 27 13:34:02 asav3.example.net postfix/smtpd[12077]:: connect from > 26.81-111-54.customer.example.net[21.111.54.26] > Jan 27 13:34:02 asav5.example.net postfix/qmgr[32165]:: 53843908E2: > removed > Jan 27 13:34:02 asav3.mro.example.net postfix/smtpd[12077]:: > disconnect from 26.81-111-54.customer.example.net[21.111.54.26] > > So I want to separate out the lines from "postfix/smtpd" to > its own file, and not touch the postfix/lmtp or postfix/qmgr > or whatever-lines. > > >From the documentation it seems to me that I should be able > to use: > > :programname, isequal, "postfix/smtpd" - > ?HourlyMaillogNonSplunked;MaillogTemplate > :programname, isequal, "postfix/smtpd" ~ > > But these doesn't match anything. If I use simply "postfix", > it matched all "postfix/*" messages: > > :programname, isequal, "postfix" - > ?HourlyMaillogNonSplunked;MaillogTemplate > :programname, isequal, "postfix" ~ > > So, any idea for how I can match just "postfix/smtpd" ? > > > -jf > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
