Ubuntu

基於 rsyslog 表達式的過濾器 - ‘startswith’ 不起作用

  • October 9, 2019

我正在嘗試將sshd這些日誌過濾到一個單獨的文件中:

sshd[14913]: Did not receive identification string from 10.16.0.2

我嘗試了以下方法,它奏效了:

if $programname == 'sshd' and
  $syslogfacility-text == 'security' and
  $syslogseverity == '6' then -/var/log/sshinfo.log
& stop

但這也匹配使用者登錄/註銷,所以我嘗試添加一個消息匹配過濾器:

if $programname == 'sshd' and
  $msg startswith 'Did not'  and    # <---
  $syslogseverity == '6' then -/var/log/sshinfo.log
& stop

它不起作用!(雖然contains有效)

startswith壞了,還是這種用法不正確?

版本:

# rsyslogd -v
rsyslogd 7.4.4, compiled with:
   FEATURE_REGEXP:             Yes
   FEATURE_LARGEFILE:          No
   GSSAPI Kerberos 5 support:      Yes
   FEATURE_DEBUG (debug build, slow code): No
   32bit Atomic operations supported:  Yes
   64bit Atomic operations supported:  Yes
   Runtime Instrumentation (slow code):    No
   uuid support:               Yes

您應該使用帶有類似內容的模板msg is -->%msg%來查看消息部分如何開始,但通常它以空格開頭,所以只需嘗試

$msg startswith ' Did not'  and 

引用自:https://serverfault.com/questions/987374