Some work was being done by another team, and they made the following entry in
rsyslog.conf.
$template CustomOP, "%timegenerated% %msg:F,32:2% %HOSTNAME% %msg:F,32:5%
%msg:R,ERE,0,DFLT:\{.*\}--end%\n"
The intent was to create a template that we could apply to certain messages.
In /etc/rsyslog.d/itcm.conf, there were lines that looked like so:
local6.* /var/log/ITCM/itcmlog
& @lnxb40478.cbtmuat.aduat.csx.com; CustomOP
& ~
Again, thinking this would "apply" the CustomOP template to messages destined
for lnxb40478.cbtmuat.aduat.csx.com.
Now, that I've change the lines in itcm.conf to:
local6.* /var/log/ITCM/itcmlog
& @lnxb40478.cbtmuat.aduat.csx.com
& ~
I am not seeing the NO MATCH messages.
R. Singh
Sr. Systems Engineer II, CPS, CSX Technology
904-633-5745
So whether you eat or drink or whatever you do, do it all for the glory of God.
1 Cor. 10:31
-----Original Message-----
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Singh,
Radesh
Sent: Thursday, August 30, 2018 2:02 PM
To: rsyslog-users
Subject: Re: [rsyslog] Help writing a rule
------------------------------------------------------------------------------
WARNING: This email was sent from: rsyslog-boun...@lists.adiscon.com and
originated from outside of the network (vservermail.adiscon.com).
Outlook may display an alternate address.
Use caution when clicking links or sending replies.
------------------------------------------------------------------------------
Taking a look up stream, I'm finding that my rule may be just fine, the
messages appear to originate with the "NO MATCH" tag on it.
R. Singh
Sr. Systems Engineer II, CPS, CSX Technology
904-633-5745
So whether you eat or drink or whatever you do, do it all for the glory of God.
1 Cor. 10:31
-----Original Message-----
From: rsyslog [mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Singh,
Radesh
Sent: Thursday, August 30, 2018 1:43 PM
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] Help writing a rule
------------------------------------------------------------------------------
WARNING: This email was sent from: rsyslog-boun...@lists.adiscon.com and
originated from outside of the network (vservermail.adiscon.com).
Outlook may display an alternate address.
Use caution when clicking links or sending replies.
------------------------------------------------------------------------------
Hello,
I would like to write some rules such that:
If a messages comes in via imudp, or imtcp and contains a specific string in
the rawmsg, that it goes to one log.
If a messages comes in via imudp, or imtcp and contains another string in the
rawmsg, that it goes to another log.
I started with udp messages, and tried the following:
$template ITCMLOG,"/opt/share/ptc_comms_log/itcmlog.log"
$template TRACE,"/opt/share/ptc_comms_log/itcmtrc.log"
if $inputname == "imudp" and $rawmsg contains "<182>1" then ?TRACE if
$inputname == "imudp" and $rawmsg contains "<179>1" then ?ITCMLOG
The first rule seems to work just fine, but the second rule does not seem to be
working.
Instead, I'm seeing messages like this:
tail itcmlog.log
Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341
csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18
lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO
MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341
csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18
lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO
MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341
csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18
lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO
MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341
csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18
lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO
MATCH** Aug 30 13:36:18 lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341
csxt.b.TNSR1aJ.ELM1 **NO MATCH** Aug 30 13:36:18
lnxb42341.cbtmuat.aduat.csx.com <179>1 lnxb42341 csxt.b.TNSR1aJ.ELM1 **NO
MATCH**
At first I thought the NO MATCH messages were occurring because of the first
rule, but since the messages are getting logged, and since I see the string I'm
using to filter "<179>1", I wonder if it's something else.
Thanks,
R. Singh
Sr. Systems Engineer II, CPS, CSX Technology
904-633-5745
[chessie]
H0\/\/ T0/\/\0RR0\/\/ /\/\0\/35
"Give instruction to a wise man, and he will be yet wiser : teach a just man,
and he will increase in learning." - Proverbs 9:9
This email transmission and any accompanying attachments may contain CSX
privileged and confidential information intended only for the use of the
intended addressee. Any dissemination, distribution, copying or action taken in
reliance on the contents of this email by anyone other than the intended
recipient is strictly prohibited. If you have received this email in error
please immediately delete it and notify sender at the above CSX email address.
Sender and CSX accept no liability for any damage caused directly or indirectly
by receipt of this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
