Ubuntu
基於 rsyslog 表達式的過濾器 - ‘startswith’ 不起作用
我正在嘗試將
sshd
這些日誌過濾到一個單獨的文件中:sshd[14913]: Did not receive identification string from 10.16.0.2
我嘗試了以下方法,它奏效了:
if $programname == 'sshd' and $syslogfacility-text == 'security' and $syslogseverity == '6' then -/var/log/sshinfo.log & stop
但這也匹配使用者登錄/註銷,所以我嘗試添加一個消息匹配過濾器:
if $programname == 'sshd' and $msg startswith 'Did not' and # <--- $syslogseverity == '6' then -/var/log/sshinfo.log & stop
它不起作用!(雖然
contains
有效)
startswith
壞了,還是這種用法不正確?版本:
# rsyslogd -v rsyslogd 7.4.4, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes
您應該使用帶有類似內容的模板
msg is -->%msg%
來查看消息部分如何開始,但通常它以空格開頭,所以只需嘗試$msg startswith ' Did not' and