I want to log everything from the rsyslogd executable (daemon) to a file.
# /etc/rsyslog.conf
if $syslogtag isequal 'rsyslogd' then /tmp/foo.log
if $syslogtag isequal 'rsyslogd:' then /tmp/foo.log
if $syslogtag isequal ' rsyslogd' then /tmp/foo.log
if $syslogtag isequal ' rsyslogd:' then /tmp/foo.log
In a separate shell:
sv down /root/service/rsyslog/
sv up /root/service/rsyslog/
tail -F /tmp/foo.log
Result: bupkus
So I edit rsyslog.conf:
# /etc/rsyslog.conf
if $syslogtag contains 'rsyslogd' then /tmp/foo.log
Rinse and repeat; in a separate shell:
sv down /root/service/rsyslog/
sv up /root/service/rsyslog/
tail -F /tmp/foo.log
Tada: 20190424_195027 linuxbox info rsyslogd: [origin software="rsyslogd" swVersion="8.28.0" x-pid="27384" x-info="http://www.rsyslog.com"] start
What gives? I don't get why the attempts at using isequals fail.
The %syslogtag% looks like some variation of "rsyslogd" either with whitespace or a colon attached somewhere - but I think I've gone through every reasonable permutation thereof, so why is the isequal comparison failing?
You need to look for error messages during the parsing of your configuration (for example with rsyslogd -N1), as your lines are being ignored. The isequal operator is used with this sort of syntax:
:syslogtag, isequal, "rsyslogd:" ./output1
whereas the if..then syntax needs the == operator:
if $syslogtag == 'rsyslogd:' then ./output2
The contains operator works with both syntaxes.