Rsyslog not discarding lines

Question

I'm trying to discard lines like this:

httpd: - - - - [03/Jun/2013:23:04:10 +0000] "-" 408 - "-" "-" 32 -

Based on the docs, I would think this would suffice:

:msg, contains, "408 -" ~

I know that that is not a good pattern because it could match too many other things but I'm just trying to get it to work. Currently it doesn't work, the lines end up in the log file and the remote server.

I have a second :msg, contains below that, and that one DOES work. Is :msg not the correct field for this line for some reason?

Here's the complete rsyslog.conf:

$ModLoad imuxsock
$ModLoad imklog.so

$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

:msg, contains, "408 -" ~
:msg, contains, "enablerepo=private update" ~

*.* /var/log/messages
*.* @@logserver.mydomain

And how exactly are you logging the Apache access log to syslog? — Michael Hampton, Jun 04 '13 at 00:56
`CustomLog "|/usr/bin/logger -p local6.info -t httpd" combined ErrorLog "|/usr/bin/logger -p local1.err -t httpd"` — jsd, Jun 04 '13 at 16:27

score 1 · Accepted Answer · answered Jun 06 '13 at 21:59

After conferring with rsyslog developers it appears to be a bug in the version we are using (5.8, provided by Amazon through their Amazon Linux distro). I upgraded to 7.4 and the problem went away. I informed Amazon and they are investigating whether upgrading to 7.4 is something they want to do for everyone going forward.

Rsyslog not discarding lines

1 Answers1