On Thu, 3 Sep 2015, Brandon Phelps wrote:
Using the regex tool on the site, I’ve different methods of catching these
logs, none of which worked. Explanations below:
Method 1:
:fromhost-ip, regex, ‘^192\.168\.[0-9]{1,3}\.(1|33)$' /var/log/cisco-router.log
& ~
This doesn’t work at all, the logs end up in /var/log/syslog seemingly because
the regex doesn’t match.
Method 2:
if re_match($fromhost-ip, ‘^192\.168\.[0-9]{1,3}\.(1|33)$') then {
*.* /var/log/cisco-router.log
& ~
}
This logs *everything* to /var/log/cisco-router, even messages where the
fromhost-ip certainly doesn’t match the regex.
when I've seen this it's been because of a syntax error. run rsyslogd -N2 and
see if it reports any errors.
for what it's worth, you could re-write this as
if re_match($fromhost-ip, ‘192\.168\.[0-9]{1,3}\.(1|33)$') then {
/var/log/cisco-router.log
stop
}
you don't need the ^ anchor (the pattern isn't going to match anything else
anywhay)
you don't need *.* (it's a no-op)
you don't need & (you are in the middle of a {} section
~ can be written as 'stop' for clarity.
the above probably still has the error that triggered everything getting logged.
David Lang_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
