我在rsyslog.conf上添加了这一行:
if $msg contains 'arpwatch' then /var/log/test.log
问题是,如果我有同时包含表达式(arpwatch)的日志行,那么记录第一行,其他行则不记录。
如果我有同时包含“arpwatch”的行,如何修改我的表达式以写入日志?
如果将这些行发送到rsyslog:
2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: chdir(/usr/arpwatch): No such file or directory 2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: (using current working directory) 2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: pcap open eth0: eth0: No such device exists (SIOCGIFHWADDR: No such device)
然后在/var/log/test.log我有这一行:
2012 Nov 10 09:56:34 alienvault->/var/log/syslog Nov 10 09:56:34 alienvault arpwatch_eth0: chdir(/usr/arpwatch): No such file or director
其他人被忽略
答案 0 :(得分:0)
您检查rsyslog的msg属性是否为arpwatch模式 - 但它实际上仅在记录的消息中... arpwatch_eth0不是msg的一部分
答案 1 :(得分:0)
$template usermsg,"%TIMESTAMP% %HOSTNAME% %programname% %syslogfacility-text%.%syslogseverity-text% :%msg:::sp-if-no-1st-sp%%msg::drop-last-lf%\n"
$ActionFileDefaultTemplate usermsg
if $programname == 'arpwatch' and $msg contains 'arpwatch' then /var/log/test.log