Got it, thanks so much! I ended up going with this: --- # cat /etc/rsyslog.d/kern.conf :syslogtag, isequal, "kernel:" *.* /var/log/kern.log ---
Thanks again, Zak On Tue, Nov 4, 2014 at 12:07 PM, David Lang <[email protected]> wrote: > Well, you can filter on syslogtag 'kernel:' > > http://www.rsyslog.com/doc/v8-stable/configuration/filters.html > http://www.rsyslog.com/doc/property_replacer.html > > > > On Tue, 4 Nov 2014, Zak Estrada wrote: > > Got it, so does this mean that even though it's coming from "syslogtag >> 'kernel:', programname: 'kernel', APP-NAME: 'kernel'" I need to construct >> my rule to catch user.notice? How can I go about making an rsyslog message >> that would get these messages into the logs without grabbing other stuff >> (I'm guessing things other than kernel debug messages would come along >> with >> that user.notice priority). >> >> Thanks! >> --Zak >> >> On Mon, Nov 3, 2014 at 11:41 PM, David Lang <[email protected]> wrote: >> >> Pri 1,5 is user.notice, not kern.debug >>> >>> the debug log will show you what happens in detail as you are processing >>> the log, including each test that is performed. >>> >>> >>> David Lang >>> >>> On Mon, 3 Nov 2014, Zak Estrada wrote: >>> >>> Thanks for the reply! I did that and I do see my "hello world" message: >>> >>>> --- >>>> Debug line with all properties: >>>> FROMHOST: 'HOSTNAME', fromhost-ip: '127.0.0.1', HOSTNAME: 'HOSTNAME', >>>> PRI: 1 >>>> 5, >>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >>>> '-', MSGID: '-', >>>> TIMESTAMP: 'Nov 3 18:11:09', STRUCTURED-DATA: '-', >>>> msg: 'Hello world!' >>>> escaped msg: 'Hello world!' >>>> inputname: imjournal rawmsg: 'Hello world!' >>>> --- >>>> >>>> So now we've definitely confirmed that rsyslog is getting the message. >>>> Is >>>> there a way to demonstrate that it's trying to write to >>>> /var/log/kern.log >>>> as I've configured it (or that the message is going someplace else)? >>>> >>>> Thanks again, >>>> Zak >>>> >>>> On Mon, Nov 3, 2014 at 4:14 PM, David Lang <[email protected]> wrote: >>>> >>>> If you log with the format RSYSLOG_DebugFormat you will be able to see >>>> >>>>> what the log shows up as >>>>> >>>>> add the line: >>>>> /var/log/testing;RSYSLOG_DebugFormat >>>>> to your config file and see what shows up there as you load your >>>>> module. >>>>> >>>>> David Lang >>>>> >>>>> >>>>> On Mon, 3 Nov 2014, Zak Estrada wrote: >>>>> >>>>> Hi all, >>>>> >>>>> >>>>>> I'm using CENTOS7 and I've been trying to get my KERN_DEBUG messages >>>>>> into >>>>>> a >>>>>> log file (/var/log/kern.log), so I've added a file to rsyslog.d that >>>>>> just >>>>>> has this one line in it: >>>>>> --- >>>>>> kern.=debug /var/log/kern.log >>>>>> --- >>>>>> >>>>>> After restarting rsyslog and loading a "hello world" type module, I >>>>>> still >>>>>> don't get anything in that file (or /var/log/messages, since it only >>>>>> seems >>>>>> to show KERN_INFO, etc...). I've even tried creating the file >>>>>> manually, >>>>>> ensuring permissions and SELinux contexts matched other stuff in >>>>>> /var/log. >>>>>> >>>>>> I then decided to run rsyslog with debug mode (plain old "rsyslogd >>>>>> -dn") >>>>>> to >>>>>> see if rsyslog was getting tickled when I loaded my module. Sure >>>>>> enough, >>>>>> it >>>>>> was. However, I cannot understand the debug output. >>>>>> >>>>>> The output is included in this pastebin: >>>>>> http://pastebin.com/wFdt7xYr >>>>>> >>>>>> Can anyone help me interpret the debugging output or what I'm doing >>>>>> wrong? >>>>>> >>>>>> Thanks! >>>>>> --Zak >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> myriad >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>>> _______________________________________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
