Getting Data In

Rsyslog config not work - does not write to the file

josedgaravito
New Member

Hi Guys I have the following configuration lines in rsyslog but none of them helps me write to the destination file.

if $msg contains "Tampering" then /var/log/camaras.log

if $msg contains "Start one" then /var/log/camaras.log

if $fromhost-ip=='172.16.1.5' and ($rawmsg contains 'Tampering') then /var/log/camaras.log

if $rawmsg contains 'Tampering' then {action(type="omfile" File="/var/log/camaras.log") stop}

if $rawmsg contains 'Tampering' then /var/log/camaras.log

the example message is

[RTSP SERVER]: Start one session, IP=172.16.57.3 [RTSP SERVER]: Tampering Detected, IP=172.16.57.8

What can be?

thanks for your help

0 Karma

jkat54
SplunkTrust
SplunkTrust

Does the syslog user have permission to write to those destinations?

Any clues in /var/log/messages ?

0 Karma

josedgaravito
New Member

Hello, yes, the user has permissions, I currently have the configuration like this:

if $ fromhost-ip == '172.16.254.25' then /var/log/camaras.log

and it works fine, but I have more than three thousand devices and the configuration file becomes unmanageable

Thanks

0 Karma

DavidHourani
Super Champion

Hi @josedgaravito,

You will need to define a template and apply it based on how you wish to classify your logs. Are you trying to build one file per host ip or have all the data in the camaras.log file ? How exactly are you expecting your data to be stored ?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...