0

I am working on filtering logs from syslog and forwading to another log.

I am able too capture/filter the log based on "internal-sftp". By using

if $programname == 'internal-sftp' then /var/log/sftp/sftp.log

above is working.

But I am unable to filter based on this "lstat name". I troed pri, syslogtag et., below is the log format.

Apr 24 02:16:30 ip-10-0-10-22 internal-sftp[4714]: lstat name "/settlement/universalpay/test_deletez.log"

So, how can I filter the line containing lstat name based on condition. Which properties i should use.

Below is sample code which I am trying.

if $programname == 'internal-sftp' then {
        if $syslogfacility-text contains 'lstat name' then {
                action(type="omfile" file="/var/log/sftp/sftp_lstat_files.log" template="outfmt")
        }
        action(type="omfile" file="/var/log/sftp/sftp.log" template="outfmt")
        & stop 
}
3
  • It is probably in the $msg property. see properties. Commented Apr 24, 2020 at 12:40
  • I tried this and learnt "/settlement/universalpay/test_deletez.log" this part is the $msg Commented Apr 24, 2020 at 21:14
  • Look through the Reserved Template Names. It might be the $app-name. If not, use the RSYSLOG_DebugFormat template to break out the properties. Commented Apr 24, 2020 at 21:33

1 Answer 1

1

Bala,

Could you please check as below

if $msg startswith ' lstat name' then { ....

make sure that you have space as shown above infront of ' lstat name'

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.