[rsyslog-notify] Forum Thread: Re: Rsyslog not redirecting matched msg to file - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Feb 17 00:21:09 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25258#p25258
Message:
----------
When filtering fails, there are two possible answers
1. permission problems make it so you can't write the output
2. your filter rules don't actually match the log message that you get
to address #2 write messages with the format RSYSLOG_DebugFormat somewhere
and show us a sample log it produces. If you have too high a volume of
traffic to do this for everything, you can do if $rawmsg contains
'iptables' then /var/log/debugfile;RSYSLOG_DebugFormat so that it will
output any line that has iptables anywhere in the log entry without logging
everything
you also haven't mentioned what versions of anything you are running or
what distro you are using (for example, if you are using systemd it has a
significant effect on things)
your debug log isn't useful because it doesn't cover the time when any logs
that should match your filter are being processed.
Do you have kernel logs showing up anywhere in your configuration?
having finished typing all of the above, I notice that your filter is
testing $msg, but iptables is probably the $programname or $systemtag, not
$msg. This is exactly what the debugformat will show you.
More information about the rsyslog-notify
mailing list