rsyslog config with both "$msg contains" and "$fromhost-ip startswith"

Question

can i use the statement both "$msg contains" and "$fromhost-ip startswith" in rsyslog config?

when i use the follow for rsyslog config, it work!

if $msg contains 'src_port=6699' then -?DynFileA
& ~
if $fromhost-ip startswith '10.10.10.1' then -?DynFileB
& ~

but when i combine both of them, it was fail!

if $fromhost-ip startswith '10.10.10.1' and $msg !contains 'src_port=6699' then -?DynFileA
& ~

i search many article from internet, especially rsyslog office document,but didn't find any useful suggestion!

can any one tell me how to do this?

score 0 · Answer 1 · answered May 21 '13 at 14:31

0

Hmm... are you sure about your substitution ? At first sight, if your host IP is 10.10.10.1, you'll apply -?DynFileA instead of -?DynFileB. And your first example held two distincts operations... (don't know what it is btw)

regards,

answered May 21 '13 at 14:31

moutonjr

223
1
3
17

score 0 · Answer 2 · answered Apr 22 '21 at 07:35

I would just go full rsyslog Reiner script now, your first example was a or, not an and with two different dynamic file templates, if that is what you wanted just replace the and below with an or

if ($fromhost-ip startswith '10.10.10.1') and ($msg !contains 'src_port=6699') then {
    -?DynFileA
    stop
    }

rsyslog config with both "$msg contains" and "$fromhost-ip startswith"

2 Answers2