https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427583#M74918 <P>Hi Guys I have the following configuration lines in rsyslog but none of them helps me write to the destination file.</P> <P>if $msg contains "Tampering" then /var/log/camaras.log</P> <P>if $msg contains "Start one" then /var/log/camaras.log</P> <P>if $fromhost-ip=='172.16.1.5' and ($rawmsg contains 'Tampering') then /var/log/camaras.log</P> <P>if $rawmsg contains 'Tampering' then {action(type="omfile" File="/var/log/camaras.log") stop}</P> <P>if $rawmsg contains 'Tampering' then /var/log/camaras.log</P> <P>the example message is</P> <P>[RTSP SERVER]: Start one session, IP=172.16.57.3 [RTSP SERVER]: Tampering Detected, IP=172.16.57.8</P> <P>What can be?</P> <P>thanks for your help</P> Mon, 17 Jun 2019 22:50:17 GMT josedgaravito 2019-06-17T22:50:17Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427583#M74918 <P>Hi Guys I have the following configuration lines in rsyslog but none of them helps me write to the destination file.</P> <P>if $msg contains "Tampering" then /var/log/camaras.log</P> <P>if $msg contains "Start one" then /var/log/camaras.log</P> <P>if $fromhost-ip=='172.16.1.5' and ($rawmsg contains 'Tampering') then /var/log/camaras.log</P> <P>if $rawmsg contains 'Tampering' then {action(type="omfile" File="/var/log/camaras.log") stop}</P> <P>if $rawmsg contains 'Tampering' then /var/log/camaras.log</P> <P>the example message is</P> <P>[RTSP SERVER]: Start one session, IP=172.16.57.3 [RTSP SERVER]: Tampering Detected, IP=172.16.57.8</P> <P>What can be?</P> <P>thanks for your help</P> Mon, 17 Jun 2019 22:50:17 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427583#M74918 josedgaravito 2019-06-17T22:50:17Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427584#M74919 <P>Does the syslog user have permission to write to those destinations?</P> <P>Any clues in /var/log/messages ?</P> Tue, 18 Jun 2019 01:21:05 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427584#M74919 jkat54 2019-06-18T01:21:05Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427585#M74920 <P>Hello, yes, the user has permissions, I currently have the configuration like this: </P> <P>if $ fromhost-ip == '172.16.254.25' then /var/log/camaras.log</P> <P>and it works fine, but I have more than three thousand devices and the configuration file becomes unmanageable</P> <P>Thanks</P> Tue, 18 Jun 2019 15:59:08 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427585#M74920 josedgaravito 2019-06-18T15:59:08Z https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427586#M74921 <P>Hi @josedgaravito,</P> <P>You will need to define a template and apply it based on how you wish to classify your logs. Are you trying to build one file per host ip or have all the data in the camaras.log file ? How exactly are you expecting your data to be stored ? </P> Tue, 18 Jun 2019 19:42:56 GMT https://community.splunk.com/t5/Getting-Data-In/Rsyslog-config-not-work-does-not-write-to-the-file/m-p/427586#M74921 DavidHourani 2019-06-18T19:42:56Z