I'm trying to achieve filtering and forwarding using a rsyslog vm.
When I use
*.* @@192.168.1.100:514
It forwards all logs to that log server.
What I need to do is filter out logs that contain 'testing' and 'flow' and also prevent logs from localhost from being sent to the log server.
I have tried many ways of achieving this combination and failed. I just don't receive any logs to the destination once I use filters.
The remaining full contents of the rsyslog.conf is
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
if $msg contains 'testing' then @@192.168.1.100:514
#*.* @@192.168.1.100:514
My configuration is not working.
First off, notice that line $IncludeConfig /etc/rsyslog.d/*.conf. Basically it's saying that all .conf files will be included in that rsyslog.conf file you pasted. So rather than putting your rule at the bottom of that file, I would advise adding another file, say /etc/rsyslog.d/30-testing.conf and putting your rule there. This is more organized, and will be helpful if your syslog config grows in the future.
Other than that though, if it works without the filter, and thus ports/firewall isn't an issue, than it really should work -- your filter line looks fine. You might have already done so, but maybe try:
:msg, contains, "testing" @@192.168.1.100:514
Also, are you restarting the rsyslog service every time you change the configuration file? You may need to do so. Can you also post what version of rsyslog you're using?