3

On Ubuntu 18.04 with rsyslogd 8.32.0,

To move log entries from my service, named "mqtt433", I have added the following into /etc/rsyslog.d/50-default.conf:

if $programname == 'mqtt433' then {
    action(type="omfile" File="/var/log/mqtt433_log.log")
    stop
}

which creates the file /var/log/mqtt433_log.log and appends log messages from the service to it, as expected. What it shouldn't do in my understanding, is that it should not keep the lines in the default file (/var/log/syslog), while it does.

In other words, it should move message to the new file, not copy them.

I've also tried the old rule syntax, with the same result.

:programname, isequal, "mqtt433" /var/log/mqtt433.log
& stop

Also I've tried the deprecated syntax

& ~

instead of

& stop

with no luck.

What am I doing wrong?

Anton
  • 455
  • 6
  • 12
  • 3
    Make sure your conf file is being read before any other rules. Eg check there are no earlier files in `/etc/rsyslog.d/`, and no filter rules in the `rsyslog.conf` before the `$IncludeConfig /etc/rsyslog.d/*.conf` line. – meuh Jan 15 '20 at 10:15
  • OMG it helped! I moved the lines to the beginning of config file and it works! Can't tell how many days I was reading rsyslog docs thru and thru looking for a solution. Please make your comment an answer so that I can mark it! – Anton Jan 15 '20 at 11:08

1 Answers1

3

Make sure your conf file is being read before any other rules. For example, check there are no earlier files in directory /etc/rsyslog.d/, and no filter rules in the rsyslog.conf before the $IncludeConfig /etc/rsyslog.d/*.conf line that is including your configuration at that point. Typically, rules are placed after a ## RULES ## comment, and are executed in the order they appear.

meuh
  • 11,500
  • 2
  • 29
  • 45
  • 4
    Just to clarify, to help future readers: By default, on Ubuntu 18.04, /etc/rsyslog.conf contains `$IncludeConfig /etc/rsyslog.d/*.conf` and there's only one config file named `/etc/rsyslog.d/50-default.conf`, which in turn contains a `*.*;auth,authpriv.none -/var/log/syslog` rule at the second line of the file. So despite there are no visual clues like `## RULES ##` comment or anything, placing any `stop` command after the `*.*` filter does nothing. What helped was to rename custom rule files to be read before the `50-default.conf` file, `01-mqtt433.conf` in my case. – Anton Jan 15 '20 at 11:40