日志不符合我的任何条件,但它应该
Logs don't match any of my conditions but it should
首先,这是关于我的架构的信息:
- 软件:Rsyslog v8.24
- OS : Debian 9.13
- 文件:/etc/rsyslog.d/splunk.conf
- 文件语言:高级或 RainerScript
我的文件中有这 3 行:
# Aruba Networks logs filtering
ruleset(name="ArubaNetworksPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
}
# VMware ESX logs filtering
ruleset(name="EsxPort") {
if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
}
}
# Unclassified logs filtering
ruleset(name="RemoteLogPort") {
*.* action(type="omfile" dynaFile="RemoteLogPath")
}
template (name="ArubaNetworksPath" type="string" string="/var/log/rsyslog/aruba-networks/%FROMHOST%/aruba-networks.log")
template (name="EsxPath" type="string" string="/var/log/rsyslog/esxvmware/%FROMHOST%/esxvmware.log")
template (name="RemoteLogPath" type="string" string="/var/log/remote/unclassified/%FROMHOST%/unclassified.log")
input(type="imudp" port="514" ruleset="ArubaNetworksPort")
input(type="imudp" port="514" ruleset="EsxPort")
input(type="imudp" port="514" ruleset="RemoteLogPort")
当我直接检查日志时,我在消息或侦听器的主机名中看到它与我的过滤器匹配,同时日志转到“RemoteLogPath”而不是“ArubaNetworksPath”或“EsxPath”。
知道发生了什么事吗?如果你需要一些信息,我可以提供东西,尽管问我。
您不能将相同的输入绑定到多个规则集。例如,参见 issue。
您可能只想要这样的东西:
ruleset(name="RemoteLogPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
} else if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
} else {
action(type="omfile" dynaFile="RemoteLogPath")
}
}
input(type="imudp" port="514" ruleset="RemoteLogPort")
首先,这是关于我的架构的信息:
- 软件:Rsyslog v8.24
- OS : Debian 9.13
- 文件:/etc/rsyslog.d/splunk.conf
- 文件语言:高级或 RainerScript
我的文件中有这 3 行:
# Aruba Networks logs filtering
ruleset(name="ArubaNetworksPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
}
# VMware ESX logs filtering
ruleset(name="EsxPort") {
if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
}
}
# Unclassified logs filtering
ruleset(name="RemoteLogPort") {
*.* action(type="omfile" dynaFile="RemoteLogPath")
}
template (name="ArubaNetworksPath" type="string" string="/var/log/rsyslog/aruba-networks/%FROMHOST%/aruba-networks.log")
template (name="EsxPath" type="string" string="/var/log/rsyslog/esxvmware/%FROMHOST%/esxvmware.log")
template (name="RemoteLogPath" type="string" string="/var/log/remote/unclassified/%FROMHOST%/unclassified.log")
input(type="imudp" port="514" ruleset="ArubaNetworksPort")
input(type="imudp" port="514" ruleset="EsxPort")
input(type="imudp" port="514" ruleset="RemoteLogPort")
当我直接检查日志时,我在消息或侦听器的主机名中看到它与我的过滤器匹配,同时日志转到“RemoteLogPath”而不是“ArubaNetworksPath”或“EsxPath”。
知道发生了什么事吗?如果你需要一些信息,我可以提供东西,尽管问我。
您不能将相同的输入绑定到多个规则集。例如,参见 issue。 您可能只想要这样的东西:
ruleset(name="RemoteLogPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
} else if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
} else {
action(type="omfile" dynaFile="RemoteLogPath")
}
}
input(type="imudp" port="514" ruleset="RemoteLogPort")