MonitorWare Knowledge Base

Hi,

I'm trying to discard redundant messages with the following rule

Code: Select all

if $programname == 'CRON' and $syslogfacility-text == 'auth' and $syslogseverity-text == 'info' and $msg == '(pam_unix) session opened for user root by (uid=0)' then ~


but this doesn't seem to work.

While, for example, this one does:

Code: Select all

if $programname == 'CRON' and $syslogfacility-text == 'auth' and $syslogseverity-text == 'info' and $msg contains 'session opened for user root by' then ~


I trie escaping the parenthesis with \ but it didn't help.

Any suggestions?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

mhhh... the parenthesis have no special meaning. Can you provide a debug log? Please note that I am almost leaving for summer break, so I may not be able to fully investigate it before I return...

I noticed the issue thinking that the it was caused by the parenthesis but instead there seems to be something wrong with the == operator.

With these lines in the config file:

Code: Select all

if $msg == 'test1' then ~
if $msg contains 'test2' then ~

I have these results:

Code: Select all

logger test1

gets logged

Code: Select all

logger test2

doesn't

I'm using 3.18.3-Test6

If you can't reproduce this let me know. In this case I'll post more debug data so that you can look at it when you come back from your vacation. Which I hope you'll enjoy :)

I haven't done a lab, but I think the behaviour is correct. == matches only if it is an exact match. So msg would actually need to be JUST 'test1'. With legacy syslog, there at least usually is one space as the first character. If you post a quick debug snippet, I can probably point you to it.

And I now notice the rest of the ==. For msg, you probably always want to use contains. Except, of course, you need a truly perfect match.

Rainer
PS: thanks for the well wishes

With legacy syslog, there at least usually is one space as the first character.

That's what it was all about. I didn't know this and looking at the database records didn't make this easy to spot as a monospaced font would have.

Sorry for the noise.

I am glad it works