[rsyslog] Need help crafting config to match log entries

Tue, 22 Sep 2015 13:27:13 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I’ve recently upgraded to 8.x and I think I need to update some of my
rsyslog configs..  Where I used to have something like this :

:msg, startswith, “SOURCE ADDRESS DROP: ” -/var/log/iptables.log
& ~

I think I need to move to something like this :

if ($msg startswith “SOURCE ADDRESS DROP: ”) then {
   action(type="omfile" file="/var/log/iptables.log” template="outfmt")
   stop
}

I've tried this, but I've run into a few problems.  First, I’ve
noticed is that the startswith isn’t matching anymore..  there seems
to be a timestamp at the beginning of the messages now, but I'm not
sure what's providing them.  For example, this is what I see in
/var/log/messages :

Sep 22 15:57:42 myserver kernel: [344863.908035] SOURCE ADDRESS DROP:
IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=0.0.0.0
DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

That timestamp value within [] seems to be new…  So a startswith
“SOURCE ADDRESS DROP: “ isn’t matching anymore..

The bigger problem I've noticed is that replacing the :msg syntax with
the if..then syntax above results in rsyslog not logging anything,
anywhere.  It's running according to both ps and systemctl, but
there's no output.  Removing the if..then syntax brings back logging,
though nothing gets logged to the iptables.log file.

Can someone point out what I'm doing wrong?

Thanks,

- -- 
- ---------------------------
Jason 'XenoPhage' Frisvold
[email protected]
- ---------------------------

“Space,” it says, “is big. Really big. You just won’t believe how
vastly, hugely, mindbogglingly big it is. I mean, you may think it’s
a long way down the road to the chemist’s, but that’s just peanuts to
space.”
- - The Hitchhikers Guide to the Galaxy
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlYBuXwACgkQ8CjzPZyTUTRfIgCeNd9m4ivMlPUjUslsCjW07rgy
XYUAoKUCZUczXdFOxdPFj1q+Jv8X0B0o
=0ea8
-----END PGP SIGNATURE-----
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to