I'll have a look into it, but be very busy this week (before holiday season). If I can get a debug log of processing, that would be great. I can't even confirm atm how it is supposed to work (don't remember, need to lookup code).
Rainer El lun., 16 dic. 2019 a las 19:57, David Lang via rsyslog (<[email protected]>) escribió: > > As I understand it, contains only looks for a single string, while == has the > ability to match any of several stings > > so you can't say contains [ list of values ] > > but you can say == [ list of values ] > > I think it would be a useful enhancement to main contains able to match any > of a > list instead of requiring if foo conains bar or foo contains baz > > David Lang > > On Mon, 16 Dec 2019, Peter Viskup via rsyslog wrote: > > > Date: Mon, 16 Dec 2019 09:45:43 +0100 > > From: Peter Viskup via rsyslog <[email protected]> > > To: rsyslog-users <[email protected]> > > Cc: Peter Viskup <[email protected]> > > Subject: [rsyslog] string match filter 'contains' vs. '==' > > > > Running rsyslog 8.1901.0-1 and it seems there is some difference in > > processing these two filters. > > > > On the input there is message which is parsed with hostname property set to > > the IP address exactly. The match with use of 'contains' is not effective, > > while '==' is. > > Is this expected result? > > > > Message example (message is forwarded): > > <133>1 2019-12-13T14:57:36.227429+01:00 10.1.2.5 - - 2019 Dec 13 13:57:36 > > UTC: %AUTHPRIV-5-SYSTEM_MSG: root : TTY=unknown ; > > PWD=/var/sysmgr/sysmgr-subproc ; USER=root ; COMMAND=/sbin/sysctl -q -w > > vm.drop_caches=3 - sudo > > # with debug > > Debug line with all properties: > > FROMHOST: '10.1.2.3', fromhost-ip: '10.1.2.3', HOSTNAME: '10.1.2.5', PRI: > > 133, > > syslogtag '', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', > > > > filters: > > # does not work > > if $hostname contains ['10.1.2.4', '10.1.2.5'] then > > # does work > > if $hostname contains ['10.1.2.4', '10.1.2.5'] or $hostname == '10.1.2.5' > > then > > > > Following issue is experienced on this message samples. Other properly > > formatted messages from 10.1.2.4 are matched with no issues. There are no > > other type of messages coming from 10.1.2.5 address. > > > > Peter > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
