• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

alienvault4.14:rsyslog word filter does not work for me

torphehtorpheh

Big Time
hi guys,
this filter in rsyslog.conf does not work for me:

if $msg contains "test" then /var/log/test/test.log
if $msg contains "test" then  ~
i have tried it for $rawmsg and $programname and nothing changed, 
other filters no problem, for example this is working well and i can see the logs in my test log file:
:fromhost, isequal, "172.72.27.2" /var/log/test/test.log
:fromhost, isequal, "172.72.27.2" ~

Share post:

Best Answer

  • Answer ✓
    I have fixed the problem, and it is the code that I have used:

    :msg, contains, "firewall: IN="-/data/myapp/all_logs_but_firewall_related.log

Answers

  • I know this might sound a bit silly, but have you tried using a single quote rather than a double quote?

    i.e. ' vs. "

    torpheh
  • thank you @l1nuxfr34k ,
    I did but nothing changed, they go directly to syslog log file and not to my file,another thing that may help is that i am sending logs by an application named "the one syslog sender" and when I use the "contains" filter (that does not work) I see the logs directly in all my ssh screens, but when I use  "fromhost" filter(that is working well) does not happen such thing.
Sign In or Register to comment.