Hi,
today I converted a configuration into the modern syntax and run into
the problem that most msg values seems to start with a space character
which I didn't covered in my "startwith" value:
> Debug line with all properties:
> FROMHOST: 'srv42', fromhost-ip: '127.0.0.1', HOSTNAME: 'srv42', PRI: 22,
> syslogtag 'dovecot:', programname: 'dovecot', APP-NAME: 'dovecot', PROCID:
> '-', MSGID: '-',
> TIMESTAMP: 'Jan 24 21:18:17', STRUCTURED-DATA: '-',
> msg: ' pop3-login: Disconnected (tried to use disallowed plaintext auth):
> user=<>, rip=1.2.3.4, lip=9.8.7.6'
> escaped msg: ' pop3-login: Disconnected (tried to use disallowed plaintext
> auth): user=<>, rip=1.2.3.4, lip=9.8.7.6'
> inputname: imuxsock rawmsg: '<22>Jan 24 21:18:17 dovecot: pop3-login:
> Disconnected (tried to use disallowed plaintext auth): user=<>, rip=1.2.3.4,
> lip=9.8.7.6'
> $!:
> $.:
> $/:
Is this normal? Why don't we trim messages per default (we still have
rawmsg for people who don't like that)?
Writing rules like
> if $programname == 'dovecot' then {
> if $msg startswith ' pop3' then {
> action(
> type="omfile"
> File="/var/log/dovecot.log"
> FileOwner="root"
> FileGroup="adm"
> asyncWriting="on"
> flushInterval="30"
> )
> stop
> }
> else if ... {
> ...
> }
> }
isn't intuitive, is it? For example I started with a vanilla rsyslog
configuration, read the mail.log, found something like
> Jan 24 21:18:17 srv42 dovecot: pop3-login: Disconnected (tried to use
> disallowed plaintext auth): user=<>, rip=1.2.3.4, lip=9.8.7.6
I wanted to separate from mail.log. I would never expect that the msg
start with " pop3-login" instead of "pop3-login".
-Thomas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
