You should review rsyslog error logs. I guess you have something similar to this in them:
rsyslogd: error during parsing file rstb_314075_f7994d4f_.conf, on or before line 17: invalid character '!' in expression - is there an invalid escape sequence somewhere? [v8.1911.0.master try https://www.rsyslog.com/e/2207 ] Bottom line: !contains is not a proper script operator. The correct if statement is if not $msg contains "msgnum:" then { I guess the rest is due to the config error. HTH Rainer El mié., 30 oct. 2019 a las 20:06, Christian, Mark via rsyslog (<[email protected]>) escribió: > > I have a ruleset that attempts to output to omfile, omkafka and > omelasticsearch. All of the events are received on imtcp. I'm > attempting to discard some of the events for omfile. I was trying to > do something like the following: > > ruleset(name="process_events" { > > if $msg !contains "unwanted space delimited string" then { > action(type="omfile" > <snip> > ) > } > action(type="omkafka" > <snip> > ) > action(type="omelasticsearch" > <snip> > ) > } > > It seems !contains is being misinterrupted, and that the only events > omfile processes are events containing "unwanted space delimited > string". I assume contains can work on strings with spaces. I'm > wondering what I have wrong with the above. > > This is on rsyslog-8.1910.0-0adiscon1xenial1 > > Mark Christian > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
