Hello, Confession... I'm still learning rsyslog after many years of working with syslog-ng. I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to capture my ESXi host logs.
Here is my current filter for those: cat /etc/rsyslog.d/ESXi.conf template(name="ESXi_app" type="string" string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log") if $hostname startswith ["cdcubde", "sdcubde", "sdcubpe", "cdcubpe", "cdcubdmz", "cdcurpe", "sdcurpe"] then { action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" dynaFile="ESXi_app") } else { if $programname contains ["Hostd", "Vpxa", "xmlns", "soapenv", "cdcubpe02"] then { action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" dynaFile="ESXi_app") } stop } I added the extra "else/if" because even though the 'startwith' was mostly working, it wasn't working 100%. And, now even with the extra else/if some messages are still falling through to my "Unknownl" and I don't understand why. Example message that is falling through - cat Unknown/cdcubdmz01.mycompany.com/cdcubdmz01.mycompany.com-2016-12-01.log 2016-12-01T10:01:22.690936-05:00 cdcubdmz01.mycompay.com soapenv: Body><HostImageConfigGetAcceptanceResponse xmlns='urn:vim25'><returnval>partner</returnval></HostImageConfigGetAcceptanceResponse></soapenv:Body></soapenv:Envelope> I'm using different configs in /etc/rsyslog.d/ for the different filters (ESXi, FireEye, PaloAlto, etc), then my Unknown filter is in the /etc/rsyslog.conf file. Is that approach wrong? >From my rsyslog.conf: template(name="Unknown" type="string" string="/var/splunk-syslog/Unknown/%HOSTNAME%/%FROMHOST%-%$NOW%.log") *.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" dynaFile="Unknown") Any help would be greatly appreciated. Thanks, Patrick ---------------------------------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the addressee. If you are not the intended addressee, then you have received this email in error and any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please notify us immediately of your unintended receipt by reply and then delete this email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates will not be held liable to any person resulting from the unintended or unauthorized use of any information contained in this email or as a result of any additions or deletions of information originally contained in this email. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.