我正在尝试将一些类似这样的日志过滤sshd到一个单独的文件中:
sshd[14913]: Did not receive identification string from 10.16.0.2
我尝试了以下操作,并且成功了:
if $programname == 'sshd' and
$syslogfacility-text == 'security' and
$syslogseverity == '6' then -/var/log/sshinfo.log
& stop
但这也匹配用户登录/注销,所以我尝试添加 aa信息匹配筛选:
if $programname == 'sshd' and
$msg startswith 'Did not' and # <---
$syslogseverity == '6' then -/var/log/sshinfo.log
& stop
不起作用!(虽然contains有效)
坏了startswith,还是这种用法不正确?
版本:
# rsyslogd -v
rsyslogd 7.4.4, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
答案1
您应该使用类似的模板msg is -->%msg%来查看消息部分如何开始,但一般来说它以空格开头,所以只需尝试
$msg startswith ' Did not' and