This is caused by the intersection of two distinct 'features'.
I'm investigating 12.04 Precise LTS with rsyslog version 5.8.6.
Firstly, a caution: the documentation for the imklog module on the
rsyslog web-site is not version-specific and therefore cannot be relied
upon for clear accurate
I can confirm that Radu Gheorghe (radu0gheorghe) is correct and have had
to use the following template to discard the leading whitepsace.
$template ApacheLogFormat,%msg:2:1%\n
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The problem seems to be that there's a leading space in the message.
:msg, startswith, FIRE -/var/log/fire.log
- should work (at least for me it does)
I've seen on the debug log (rsyslog -d -n), this thing:
var '$msg': ' message goes here'
Which, via Google, lead me here:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: rsyslog (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/479592
Title:
I tried isequal and that doesn't work either. I assume rsyslogd is
interpreting the timestamp, e.g. [ 8367.076851], as part of the message
it is applying the filter to. In my case rsyslogd 4.6.4 on 11.04 (natty)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
Some problem for me on 10.04 (LTS) with rsyslog 4.2.0-2ubuntu8
This is a long term support release so think this bug should be moved up
in importance.
Using 'contains' is a workaround but 'startswith' has significant
efficiency gains when processing a lot of logs.
--
rsyslog doesn't work with
