0

I configure the rsyslog server with /var/rsyslog/foo.conf to accept the udp messages

$ModLoad imudp $UDPServerRun 514

And try to filter the log contents start with "foo" to /var/log/foo.log. I have tried several filters.

:msg, contains, "foo" /var/log/foo.log :msg, startswith, "foo" /var/log/foo.log :msg, regex, "'^\s*foo.*" /var/log/foo.log if $msg startswith 'foo' then /var/log/foo.log;

Nothing is working. I can get the proper in /vag/log/syslog but no way to filter it and output to foo.log. the message I got from syslog like this:

 2023-12-02T17:06:20.852836+00:00 foo

Which proves the udp and general logging are good. But no idea why the filters are not working.

my rsyslog server version is 8.2302.0 and the OS is Debian 12.

Improve this question
2
  • Have you restarted syslog? Was /var/log/foo.log automatically created after the restart? Commented Dec 3, 2023 at 16:08
  • Yes I did restart rsyslog (not syslog), but to my knowledge the syslog should be restarted with rsyslog together. And there was not foo.log automatically created after restarting. Commented Dec 3, 2023 at 19:52

1 Answer 1

Reset to default
0

I debug the rsyslog and solved the problem.

the log got in the /var/log/syslog was:

2023-12-02T17:06:20.852836+00:00 foo

Which means the foo would be recognized as source not msg. To send message according to the RFC5424 format solves the problem:

echo -n "foo bar:foobar" | nc -w1 -u foo bar

in this case the syslog would log like hereunder:

2023-12-02T17:06:20.852836+00:00 foo bar: foobar

And the filter works fine.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.