Some work was being done by another team, and they made the following entry in rsyslog.conf. $template CustomOP, "%timegenerated% %msg:F,32:2% %HOSTNAME% %msg:F,32:5% %msg:R,ERE,0,DFLT:\{.*\}--end%\n"
The intent was to create a template that we could apply to certain messages. In /etc/rsyslog.d/itcm.conf, there were lines that looked like so: local6.* /var/log/ITCM/itcmlog & @lnxb40478.cbtmuat.aduat.csx.com; CustomOP & ~ Again, thinking this would "apply" the CustomOP template to messages destined for lnxb40478.cbtmuat.aduat.csx.com. Now, that I've change the lines in itcm.conf to: local6.* /var/log/ITCM/itcmlog & @lnxb40478.cbtmuat.aduat.csx.com & ~ I am not seeing the NO MATCH messages. R. Singh Sr. Systems Engineer II, CPS, CSX Technology 904-633-5745 So whether you eat or drink or whatever you do, do it all for the glory of God. 1 Cor. 10:31 -----Original Message----- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Singh, Radesh Sent: Thursday, August 30, 2018 2:02 PM To: rsyslog-users Subject: Re: [rsyslog] Help writing a rule ------------------------------------------------------------------------------ WARNING: This email was sent from: rsyslog-boun...@lists.adiscon.com and originated from outside of the network (vservermail.adiscon.com). Outlook may display an alternate address. Use caution when clicking links or sending replies. ------------------------------------------------------------------------------ Taking a look up stream, I'm finding that my rule may be just fine, the messages appear to originate with the "NO MATCH" tag on it. R. Singh Sr. Systems Engineer II, CPS, CSX Technology 904-633-5745 So whether you eat or drink or whatever you do, do it all for the glory of God. 1 Cor. 10:31 -----Original Message----- From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Singh, Radesh Sent: Thursday, August 30, 2018 1:43 PM To: rsyslog@lists.adiscon.com Subject: [rsyslog] Help writing a rule ------------------------------------------------------------------------------ WARNING: This email was sent from: rsyslog-boun...@lists.adiscon.com and originated from outside of the network (vservermail.adiscon.com). Outlook may display an alternate address. Use caution when clicking links or sending replies. ------------------------------------------------------------------------------ Hello, I would like to write some rules such that: If a messages comes in via imudp, or imtcp and contains a specific string in the rawmsg, that it goes to one log. If a messages comes in via imudp, or imtcp and contains another string in the rawmsg, that it goes to another log. I started with udp messages, and tried the following: $template ITCMLOG,"/opt/share/ptc_comms_log/itcmlog.log" $template TRACE,"/opt/share/ptc_comms_log/itcmtrc.log" if $inputname == "imudp" and $rawmsg contains "<182>1" then ?TRACE if $inputname == "imudp" and $rawmsg contains "<179>1" then ?ITCMLOG The first rule seems to work just fine, but the second rule does not seem to be working. Instead, I'm seeing messages like this: tail itcmlog.log Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO MATCH** At first I thought the NO MATCH messages were occurring because of the first rule, but since the messages are getting logged, and since I see the string I'm using to filter "<179>1", I wonder if it's something else. Thanks, R. Singh Sr. Systems Engineer II, CPS, CSX Technology 904-633-5745 [chessie] H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35 "Give instruction to a wise man, and he will be yet wiser : teach a just man, and he will increase in learning." - Proverbs 9:9 This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.