This is caused by the intersection of two distinct 'features'. I'm investigating 12.04 Precise LTS with rsyslog version 5.8.6.
Firstly, a caution: the documentation for the imklog module on the rsyslog web-site is not version-specific and therefore cannot be relied upon for clear accurate information about the version carried by Ubuntu. The issues are: 1. the imklog module receives Linux kernel log messages. The kernel prefixes those log messages with a time-stamp of the form "[174766.200834] ...". This is rsyslog's %msg% property. 2. The "startswith" compare-operator "Checks if the value is found exactly at the beginning of the property value". So, when receiving kernel log messages they begin with a time-stamp which prevents use of the "startswith" operator to match on a log message prefix. In version 7.3.4 of rsyslog released 7 December 2012 the imklog module has the operator "KeepKernelTimeStamp" which can be set to "off" to drop the time-stamps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
