rsyslog. Filter doesn't work

Question

I use ubuntu-server. I try to set filter in my rsyslog.conf for accepting only remote logs from my D-link.

that is debug

Debug line with all properties:
FROMHOST: 'fromname', fromhost-ip: '192.168.1.1', HOSTNAME: 'DSR-500N', PRI: 4,
syslogtag 'KERNEL', programname: 'KERNEL', APP-NAME: 'KERNEL', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Oct  2 17:44:08', STRUCTURED-DATA: '-',
msg: ' [Kernel] LOG_PACKET[ACCEPT]  IN=WAN SRC=11.11.11.11 DST=22.22.22.22 PROTO=ESP SPI=0xf9861ec '
escaped msg: ' [Kernel] LOG_PACKET[ACCEPT]  IN=WAN SRC=77.77.77.77 DST=66.66.66.66 PROTO=ESP SPI=0xf9861ec '
rawmsg: '<4>Oct 02 17:44:08 DSR-500N KERNEL [Kernel] LOG_PACKET[ACCEPT]  IN=WAN SRC=44.44.44.44 DST=33.33.33.33 PROTO=ESP SPI=0xf9861ec '

And that is my code:

if hostname == 'DSR-500N' then  /var/rsyslog/infolog

But filter doesn't work. Where I'm wrong?

Thank you!

I tried to change filter. I used this code

:$hostname, regex, "*" /var/rsyslog/infolog

this is work. But it works for all hostnames. I'd like to filter this, although if I change to

:$hostname, regex, "^k" /var/rsyslog/infolog

it doesn't work.

Any ideas?

user9517 · Accepted Answer · 2012-10-03T06:49:17.160

1

Try using $hostname instead of just hostname

If $hostname == 'DSR-500N' then /var/rsyslog/infolog

edited Oct 03 '12 at 06:49

answered Oct 03 '12 at 06:21

user9517

115,471
20
215
297

Doesn't help. No errors. Logs doesn't write into file. – Abdus Oct 03 '12 at 06:43

rsyslog. Filter doesn't work

1 Answers1