I'm currently trying to figure out why I'm unable to get some filter to work. Due to OS policy, I'm stuck with the version of rsyslog bundled with RHEL6, so that's rsyslog 5.8.10.
I've looked and looked, and can't really see what I'm doing wrong (but I'm sure it's something, since it's not behaving the way I want it to :) I have configured some templates and two filters in a file, /etc/rsyslog.d/firewall.conf. -START- $template dest_no-osl001-asa00_log,"/var/log/firewall/no-osl001-asa00_log/no-osl001-asa00_log-%$YEAR%%$MONTH%%$DAY%" $template dest_no-osl001-asa00_changelog,"/var/log/firewall/no-osl001-asa00_changelog/no-osl001-asa00_changelog-%$YEAR%%$MONTH%%$DAY%" if $fromhost-ip == '192.168.1.10' then -?dest_no-osl001-asa00_log if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then -?dest_no-osl001-asa00_changelog -STOP- Here's an example of a log line that gets logged to the filename in the template dest_no-osl001-asa00_log: May 16 16:19:03 no-osl001-asa00 %ASA-3-611101: User authentication succeeded: Uname: eivind I know the first part of the match works (the IP address), since these log messages actually make it into the first file. Am I doing something wrong when it comes to the "and $msg contains"-part? Regards Eivind Olsen _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
