Rsyslog config not work - does not write to the fi...

josedgaravito · ‎06-17-2019

Hi Guys I have the following configuration lines in rsyslog but none of them helps me write to the destination file.

if $msg contains "Tampering" then /var/log/camaras.log

if $msg contains "Start one" then /var/log/camaras.log

if $fromhost-ip=='172.16.1.5' and ($rawmsg contains 'Tampering') then /var/log/camaras.log

if $rawmsg contains 'Tampering' then {action(type="omfile" File="/var/log/camaras.log") stop}

if $rawmsg contains 'Tampering' then /var/log/camaras.log

the example message is

[RTSP SERVER]: Start one session, IP=172.16.57.3 [RTSP SERVER]: Tampering Detected, IP=172.16.57.8

What can be?

thanks for your help

jkat54 · ‎06-17-2019

Does the syslog user have permission to write to those destinations?

Any clues in /var/log/messages ?

josedgaravito · ‎06-18-2019

Hello, yes, the user has permissions, I currently have the configuration like this:

if $ fromhost-ip == '172.16.254.25' then /var/log/camaras.log

and it works fine, but I have more than three thousand devices and the configuration file becomes unmanageable

Thanks

DavidHourani · ‎06-18-2019

Hi @josedgaravito,

You will need to define a template and apply it based on how you wish to classify your logs. Are you trying to build one file per host ip or have all the data in the camaras.log file ? How exactly are you expecting your data to be stored ?

Rsyslog config not work - does not write to the file

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation