Re: Rsyslog config not work - does not write to th...

josedgaravito · ‎06-17-2019

Hi Guys I have the following configuration lines in rsyslog but none of them helps me write to the destination file.

if $msg contains "Tampering" then /var/log/camaras.log

if $msg contains "Start one" then /var/log/camaras.log

if $fromhost-ip=='172.16.1.5' and ($rawmsg contains 'Tampering') then /var/log/camaras.log

if $rawmsg contains 'Tampering' then {action(type="omfile" File="/var/log/camaras.log") stop}

if $rawmsg contains 'Tampering' then /var/log/camaras.log

the example message is

[RTSP SERVER]: Start one session, IP=172.16.57.3 [RTSP SERVER]: Tampering Detected, IP=172.16.57.8

What can be?

thanks for your help

jkat54 · ‎06-17-2019

Does the syslog user have permission to write to those destinations?

Any clues in /var/log/messages ?

josedgaravito · ‎06-18-2019

Hello, yes, the user has permissions, I currently have the configuration like this:

if $ fromhost-ip == '172.16.254.25' then /var/log/camaras.log

and it works fine, but I have more than three thousand devices and the configuration file becomes unmanageable

Thanks

DavidHourani · ‎06-18-2019

Hi @josedgaravito,

You will need to define a template and apply it based on how you wish to classify your logs. Are you trying to build one file per host ip or have all the data in the camaras.log file ? How exactly are you expecting your data to be stored ?

Rsyslog config not work - does not write to the file

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Rsyslog config not work - does not write to the file

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability