redirection log using rsyslog

Question

I add this line on rsyslog.conf:

if $msg contains 'arpwatch'          then          /var/log/test.log

The problem is if I a have simultaneous lines of logs containing the expression (arpwatch), then tonly the first line is logged and the others aren't.

How I can modify my expression to write to the log if i have simultaneous lines containing "arpwatch"?

If these lines are sent to rsyslog:

2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: chdir(/usr/arpwatch): No such file or directory
2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: (using current working directory)
2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: pcap open eth0: eth0: No such device exists (SIOCGIFHWADDR: No such device)

then on /var/log/test.log i have this line:

2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: chdir(/usr/arpwatch): No such file or director

and the others are ignored

score 0 · Answer 1 · answered Nov 11 '12 at 20:40

0

You check the msg property of rsyslog for the pattern arpwatch - but it's really only in the logged message... the arpwatch_eth0 is not part of msg

answered Nov 11 '12 at 20:40

Kamil Šrot

2,141
17
19

score 0 · Answer 2 · edited Aug 06 '13 at 08:23

0

$template usermsg,"%TIMESTAMP% %HOSTNAME% %programname% %syslogfacility-text%.%syslogseverity-text% :%msg:::sp-if-no-1st-sp%%msg::drop-last-lf%\n"
$ActionFileDefaultTemplate usermsg

if $programname == 'arpwatch' and $msg contains 'arpwatch' then /var/log/test.log

edited Aug 06 '13 at 08:23

Dirty-flow

2,306
11
30
49

answered Aug 06 '13 at 08:01

Kamal

1

redirection log using rsyslog

2 Answers2