Ani*_*Ani 1 ubuntu ssh rsyslog
sshd我正在尝试将一些类似的日志过滤到一个单独的文件中:
sshd[14913]: Did not receive identification string from 10.16.0.2
我尝试了以下方法,并且有效:
if $programname == 'sshd' and
$syslogfacility-text == 'security' and
$syslogseverity == '6' then -/var/log/sshinfo.log
& stop
但这也匹配用户登录/注销,所以我尝试添加消息匹配过滤器:
if $programname == 'sshd' and
$msg startswith 'Did not' and # <---
$syslogseverity == '6' then -/var/log/sshinfo.log
& stop
这不起作用!(虽然contains有效)
坏了startswith,还是这个用法不正确?
版本:
# rsyslogd -v
rsyslogd 7.4.4, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
您应该使用带有类似内容的模板来msg is -->%msg%查看消息部分如何开始,但通常它以空格开头,所以只需尝试
$msg startswith ' Did not' and