we would have to see the sample logs to see if there is a better way to match
them. But if the filter is matching things that then don't have that string in
it, it does sound like a bug.
Unfortunantly, 5.8 is ancient (the current versionis 8.13), so it's far past the
point where the community will dig into a bug like this. If you have similar
problems with a current version, then we would dig into it.
David Lang
On Fri, 30 Oct 2015, Ryan Ward wrote:
Date: Fri, 30 Oct 2015 10:06:14 -0400
From: Ryan Ward <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] filter auditd messages
Hi,
I am trying to filter auditd messages at a central aggregation server. I
have the follow expression
if $msg contains 'msg=audit' then -/var/log/agg-auditd.log
I have found other messages hits this expression and I am not sure how?
If i grep -v "msg=audit" on the file random lines will sneak in but do not
contain msg=audit. Is this
typical? is there a better way to filter the audit daemon messages? I'm
using 5.8.10
Thanks,
Ryan
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
