I'm receiving syslog data in a .log file. That file contains two types of events. An event that only contains the syslog datetime stamp and an event that contains the syslog datetime stamp and a "timestamp=" field in the message. Using rules, how can I split any event containing "timestamp=" into a separate file?
Asked
Active
Viewed 2,480 times
1 Answers
2
The rsyslog documentation on filters says that $msg can help here:
Probably, “msg” is the most prominent use case of property based
filters. It is the actual message text. If you would like to filter
based on some message content (e.g. the presence of a specific code),
this can be done easily by:
:msg, contains, "ID-4711"
This filter will match when the message contains the string “ID-4711”.
and
*.* /var/log/file1 # the traditional way
if $msg contains 'error' then /var/log/errlog # the expression-based way
If I understand your question correctly, you can do what you intend by editing your configuration file to check $msg for timestamp= If you find that value, write to a separate file.
This is the documentation for rsyslog version 8. I'd recommend checking the version of rsyslog you are using against any examples you find (in the documentation or on the Internet).
StandardEyre
- 303
- 1
- 3
- 17