First of all this is the informations about my architecture :
I have these 3 lines in my file :
# Aruba Networks logs filtering
ruleset(name="ArubaNetworksPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
}
# VMware ESX logs filtering
ruleset(name="EsxPort") {
if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
}
}
# Unclassified logs filtering
ruleset(name="RemoteLogPort") {
*.* action(type="omfile" dynaFile="RemoteLogPath")
}
template (name="ArubaNetworksPath" type="string" string="/var/log/rsyslog/aruba-networks/%FROMHOST%/aruba-networks.log")
template (name="EsxPath" type="string" string="/var/log/rsyslog/esxvmware/%FROMHOST%/esxvmware.log")
template (name="RemoteLogPath" type="string" string="/var/log/remote/unclassified/%FROMHOST%/unclassified.log")
input(type="imudp" port="514" ruleset="ArubaNetworksPort")
input(type="imudp" port="514" ruleset="EsxPort")
input(type="imudp" port="514" ruleset="RemoteLogPort")
And when I directly check the logs I see that in the message or the hostname of the listeners it matches with my filters meanwhile the logs go to the "RemoteLogPath" instead of "ArubaNetworksPath" or "EsxPath".
Any idea what's going on ? I can provide stuff if you need some informations, just ask me.
You cannot bind the same input to multiple rulesets. See for example this issue. You probably just want something like this:
ruleset(name="RemoteLogPort") {
if (re_match($msg, "AP:aaa-bbb01-ccc-ap")) then {
action(type="omfile" dynaFile="ArubaNetworksPath")
} else if (re_match($hostname, "tree-[a-zA-Z]{3}to[0-9]{3}")) then {
action(type="omfile" dynaFile="EsxPath")
} else {
action(type="omfile" dynaFile="RemoteLogPath")
}
}
input(type="imudp" port="514" ruleset="RemoteLogPort")