I am trying to filter out logs from journalctl so that matched logs can be forwarded to remote rsys server.
/var/log/custom log is getting constructed properly from the filer but not able to forward it to the remote server.
I have referred below links
https://stackoverflow.com/questions/37034439/rsyslog-filtering-and-forwarding
How to use rsyslog to log files from client to server
How to forward specific log file outside of /var/log with rsyslog to remote server? and
Rsyslog: From a custom log file, Forward only the messages matching a pattern
However not able to achieve my goal.
This is my rsyslog.conf, am I missing something?
# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf # Configure the LocalHostName, so that syslogs carry the hostname instead of the alias. $LocalHostName nd2bwa4drc01v.eng.mobilephone.net ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support ########################### #### GLOBAL DIRECTIVES #### ########################### # Use traditional timestamp format. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # Set the default permissions for all log files. $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # Where to place spool and state files $WorkDirectory /var/spool/rsyslog ###################### #### Ad-Hoc rules #### ###################### # Log anything [except kern/mail/cron/local2(snmp)/local7(boot)/local5(calea)] # of level info or higher. # Don't log private authentication messages! # # Filtering out harmless but repetitive messages # :msg, contains, "shim containerd-shim started" stop :msg, contains, "shim reaped" stop :msg, contains, "ignoring event" stop :msg, contains, "DEBUG" stop # Logging rule # #:msg, contains, "logged in over ssh from" @192.168.11.71:6514 #:msg, contains, "Logged out ssh" @192.168.11.71:6514 #if $msg contains 'logged in over ssh from' then @192.168.11.71:6514 :msg, contains, "logged in over ssh from" /var/log/custom :msg, contains, "Logged out ssh" /var/log/custom *.info;auth.none;authpriv.none;kern.none;mail.none;cron.none;local2.none;local7.none;local5.none /var/log/syslog daemon.* -/var/log/daemon.log mail.* -/var/log/mail.log mail.warn /var/log/mail.warn #kern.* -/var/log/kern.log kern.debug stop *.=debug;\ auth,authpriv.none;\ news.none;mail.none /var/log/debug # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # capture WARN logs in a separate file #*.warn;local5.none /var/log/warn.log ############################### ##### Begin forwarding rule ### ############################### # Forward to contol-0/1 (rsylog-proxy) VIP # auth.info,authpriv.* /var/log/secure auth.info,authpriv.* @192.168.11.71:6514 #:msg, contains, "logged in over ssh from" @192.168.11.71:6514 *.info;auth.none;authpriv.none;mail.none;cron.none;local2.none;local7.debug;local5.none @192.168.11.71:6514 ##### End of the forwarding rule ### 