Re: [rsyslog] why is my config ignored

Thu, 30 May 2024 02:23:35 -0700 

Hi,
I appreciate very much the helpful attitude and practical suggestions we have received over the last days. Thank you. 


Logging with RSYSLOG_DebugFormat explains it all. As has been said by 
Rainer, earlier today:


The actual $syslogtag turns out to be 'intruder_lockout[3721575]:'
(even inluding the : at the end)


That essentially means that using the $syslogtag/isequal to stream 
messages into a specific file:


> :syslogtag, isequal, "intruder_lockout:" /var/log/intruder.log
> & stop


will basically never work. (at least not for tags applied with logger -t 
TAG)


But there is also a startswith condition:

> :syslogtag, startswith, "intruder_lockout" /var/log/intruder.log
> & stop

That one works.

Our problem is solved, and we learned a lot.

Thanks and have a nice day, everybody!

MJ


On 5/30/24 11:02, Rainer Gerhards wrote:

I'd say the logger doc is incomplete. Obviously, the value given via
-t is just *the beginning of the tag* and logger itself adds PID after
it to the tag. Problems like these were on our mind when we defined
RFC 5424 with its PROGNAME field.

HTH
Rainer

El mié, 29 may 2024 a las 23:28, sacawulu via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:



ok...

but then... what's the use of being able to assign a tag with "logger -t
TAG" when that tag cannot be used later on to do something with it?

syslogtag, isequal... is not meant as a logical duo with "logger -t"?

More tomorrow.

Goodnight!

Op 29-05-2024 om 23:07 schreef Mariusz Kruk via rsyslog:

See your logged event. You're matching against a string
"intruder_lockout:" but your event is logged with a PID added to the
progname so you have "intruder_lockout[xxxx]:" so your condition doesn't
match.


On May 29, 2024 12:51:41 PM UTC, cyusedfzfb via rsyslog
<rsyslog@lists.adiscon.com> wrote:

      I have found that when using programname to match, it DOES work.

      Why would this line:

          logger -t intruder_lockout -p local4.info "this account is now
          locked out"

      not match when filtering to match syslogtag isequal
"intruder_lockout"?

      Anyway...I am (finally) able to proceed.

      Still hope someone can explain the observed behaviour.

      MJ

      On 5/29/24 13:57, Mariusz Kruk via rsyslog wrote:

          It's impossible to answer that without knowing your full config.
          My guess would be that your syslog.d contents are included at
          the end of the main config file and your event matches a
          different disposition first so it's matched to another action
          and the processing is stopped there not reaching your rule.

          On 29.05.2024 12:55, cyusedfzfb via rsyslog wrote:

              Hi all!

              I am generating log messages from a script with a syslogtag,
              like this:

              ]# logger -t intruder_lockout -p local4.info "this account
              is now locked out"

              Next I'm trying to filter these logs, based on syslogtag to
              a seperate file. (on RHEL9, with rsyslogd  8.2102.0-117.el9
              (aka 2021.02))

              To do that, I created the configfile
              /etc/rsyslog.d/0_intruder_lockout_log.conf with this contents:

                  :syslogtag, isequal, "intruder_lockout:"
                  /var/log/intruder_lockout.log
                  & stop

              But the logger messages continue to end-up in the regular
              /var/log/messages.

              My config file *is* processed:

              ]# rsyslogd -N1 -d | grep intruder

              9648.534580052:main thread    : rainerscript.c: PROPFILT
              9648.534581695:main thread    : rainerscript.c:
              Property.: 'syslogtag'
              9648.534584550:main thread    : rainerscript.c:
              Operation: 'isequal'
              9648.534587716:main thread    : rainerscript.c:
              Value....: 'intruder_lockout:'
              9648.534589259:main thread    : rainerscript.c: THEN
              9648.534590852:main thread    : rainerscript.c:   ACTION 2
              [builtin:omfile:/data/log/intruder_lockout.log]
              9648.534593647:main thread    : rainerscript.c:   STOP
              9648.534596272:main thread    : rainerscript.c: END PROPFILT

              I have also disabled selinux for testing, just to make sure
              that is not getting in my way.

              Anyone here with some imput to help me on my way..? Why is
              this not working?!

              Thanks!

------------------------------------------------------------------------
              rsyslog mailing list
              https://lists.adiscon.net/mailman/listinfo/rsyslog
              <https://lists.adiscon.net/mailman/listinfo/rsyslog>
              http://www.rsyslog.com/professional-services/
              <http://www.rsyslog.com/professional-services/>
              What's up with rsyslog? Follow https://twitter.com/rgerhards
              <https://twitter.com/rgerhards>
              NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
              by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
              and DO NOT POST if you DON'T LIKE THAT.


------------------------------------------------------------------------
          rsyslog mailing list
          https://lists.adiscon.net/mailman/listinfo/rsyslog
          <https://lists.adiscon.net/mailman/listinfo/rsyslog>
          http://www.rsyslog.com/professional-services/
          <http://www.rsyslog.com/professional-services/>
          What's up with rsyslog? Follow https://twitter.com/rgerhards
          <https://twitter.com/rgerhards>
          NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
          a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
          NOT POST if you DON'T LIKE THAT.


------------------------------------------------------------------------
      rsyslog mailing list
      https://lists.adiscon.net/mailman/listinfo/rsyslog
      <https://lists.adiscon.net/mailman/listinfo/rsyslog>
      http://www.rsyslog.com/professional-services/
      <http://www.rsyslog.com/professional-services/>
      What's up with rsyslog? Follow https://twitter.com/rgerhards
      <https://twitter.com/rgerhards>
      NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
      myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
      POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to