[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
This is caused by the intersection of two distinct 'features'. I'm investigating 12.04 Precise LTS with rsyslog version 5.8.6. Firstly, a caution: the documentation for the imklog module on the rsyslog web-site is not version-specific and therefore cannot be relied upon for clear accurate information about the version carried by Ubuntu. The issues are: 1. the imklog module receives Linux kernel log messages. The kernel prefixes those log messages with a time-stamp of the form [174766.200834] This is rsyslog's %msg% property. 2. The startswith compare-operator Checks if the value is found exactly at the beginning of the property value. So, when receiving kernel log messages they begin with a time-stamp which prevents use of the startswith operator to match on a log message prefix. In version 7.3.4 of rsyslog released 7 December 2012 the imklog module has the operator KeepKernelTimeStamp which can be set to off to drop the time-stamps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
I can confirm that Radu Gheorghe (radu0gheorghe) is correct and have had to use the following template to discard the leading whitepsace. $template ApacheLogFormat,%msg:2:1%\n -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
The problem seems to be that there's a leading space in the message. :msg, startswith, FIRE -/var/log/fire.log - should work (at least for me it does) I've seen on the debug log (rsyslog -d -n), this thing: var '$msg': ' message goes here' Which, via Google, lead me here: http://www.rsyslog.com/log- normalization-and-the-leading-space/ Where it says The answer is, that messages are processed as RFC3164. In this RFC it is defined, that everything after the “:” of the syslog header is to be considered as the message. Thus, the message has a leading space now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: rsyslog (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
I tried isequal and that doesn't work either. I assume rsyslogd is interpreting the timestamp, e.g. [ 8367.076851], as part of the message it is applying the filter to. In my case rsyslogd 4.6.4 on 11.04 (natty) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/479592 Title: rsyslog doesn't work with property filter 'startswith' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
Some problem for me on 10.04 (LTS) with rsyslog 4.2.0-2ubuntu8 This is a long term support release so think this bug should be moved up in importance. Using 'contains' is a workaround but 'startswith' has significant efficiency gains when processing a lot of logs. -- rsyslog doesn't work with property filter 'startswith' https://bugs.launchpad.net/bugs/479592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
