I have created a rule to redirect messages containing {FILTER} in file /etc/rsyslog.d/40-filter.conf
:msg,contains,"{FILTER}" /var/log/filter.log
& ~
I have edited file /etc/rsyslog.conf so it accepts remote UDP messages by uncommenting lines
$ModLoad imudp
$UDPServerRun 514
The source of my syslog messages is the following simple python script
#! /usr/bin/python
import logging
import logging.handlers
logger = logging.getLogger('LoggingTest')
logger.setLevel(logging.DEBUG)
formatter = logging.Formatter('{FILTER} %(message)s')
handler = logging.handlers.SysLogHandler()
handler.setFormatter(formatter)
logger.addHandler(handler)
logger.info("Test Message")
I restarted rsyslog using
sudo service rsyslog restart
When I run my script the following line appears in /var/log/messages, /var/log/syslog and /var/log/user.log but it does not appear in /var/log/filter.log which exists but remains empty.
Jun 23 17:18:29 {FILTER} Test Message
If I use command line tool 'logger' (command line example given below) then the rule is applied correctly
$ logger "{FILTER} Test Message 2"
$ cat /var/log/filter.log
Jun 23 17:21:28 NDU1010 nick: {FILTER} Test Message 2
Why isn't the rule applied to messages from my python script? I'm at a loss to explain this.
Best Answer
From the output you've given it looks like the python script is not sending all the pieces of the syslog message that rsyslog is expecting. It appears as if the "{FILTER}" part is where the host and app name should be. You can pretty easily prove this by running rsyslogd with the -d flag then sending the message from python and then from logger. You'll see the raw message as it comes from the socket that way and I bet you'll see that logger is sending more fields in front of the "{FILTER}" part.