[Bug 479592] Re: rsyslog doesn't work with property filter 'startswith'

TJ ubuntu at iam.tj
Sat Jan 26 13:12:25 UTC 2013 

This is caused by the intersection of two distinct 'features'.

I'm investigating 12.04 Precise LTS with rsyslog version 5.8.6.

Firstly, a caution: the documentation for the imklog module on the
rsyslog web-site is not version-specific and therefore cannot be relied
upon for clear accurate information about the version carried by Ubuntu.

The issues are:

1. the imklog module receives Linux kernel log messages. The kernel
prefixes those log messages with a time-stamp of the form
"[174766.200834] ...". This is rsyslog's %msg% property.

2. The "startswith" compare-operator "Checks if the value is found
exactly at the beginning of the property value".

So, when receiving kernel log messages they begin with a time-stamp
which prevents use of the "startswith" operator to match on a log
message prefix.

In version 7.3.4 of rsyslog released 7 December 2012 the imklog module
has the operator "KeepKernelTimeStamp" which can be set to "off" to drop
the time-stamps.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/479592

Title:
  rsyslog doesn't work with property filter 'startswith'

Status in “rsyslog” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: rsyslog

  It seems that the property filter 'startswith' can't be used to filter e.g. firewall messages.
  Using 'contains' works as expected.

  e.g.
  Nov  9 22:28:24 xxx kernel: [ 8367.076851] FIRE IN= OUT=eth0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8231 DF PROTO=TCP SPT=4815 DPT=22 SEQ=2172904999 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030306)

  :msg, contains, "FIRE " -/var/log/fire.log
  -> works
  :msg, startswith, "FIRE " -/var/log/fire.log
  -> doesn't work

  This issue is already mentioned in bug 450002 comment #2 .

  I'm working with rsyslog 4.2.0-2ubuntu5 on (k)ubuntu 9.10 .

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/479592/+subscriptions

More information about the foundations-bugs mailing list