[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'
Radu Gheorghe
radu0gheorghe at gmail.com
Fri Jul 6 10:02:08 UTC 2012
The problem seems to be that there's a leading space in the message.
:msg, startswith, " FIRE " -/var/log/fire.log
-> should work (at least for me it does)
I've seen on the debug log (rsyslog -d -n), this thing:
----
var '$msg': ' message goes here'
----
Which, via Google, lead me here: http://www.rsyslog.com/log-
normalization-and-the-leading-space/
Where it says "The answer is, that messages are processed as RFC3164. In
this RFC it is defined, that everything after the “:” of the syslog
header is to be considered as the message. Thus, the message has a
leading space now."
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/479592
Title:
rsyslog doesn't work with property filter 'startswith'
Status in “rsyslog” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: rsyslog
It seems that the property filter 'startswith' can't be used to filter e.g. firewall messages.
Using 'contains' works as expected.
e.g.
Nov 9 22:28:24 xxx kernel: [ 8367.076851] FIRE IN= OUT=eth0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8231 DF PROTO=TCP SPT=4815 DPT=22 SEQ=2172904999 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030306)
:msg, contains, "FIRE " -/var/log/fire.log
-> works
:msg, startswith, "FIRE " -/var/log/fire.log
-> doesn't work
This issue is already mentioned in bug 450002 comment #2 .
I'm working with rsyslog 4.2.0-2ubuntu5 on (k)ubuntu 9.10 .
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions
More information about the foundations-bugs
mailing list