-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A year ago, on Saturday, 2014-03-01 at 17:22 +0100, I wrote:
On Saturday, 2014-03-01 at 16:43 +0100, I wrote:
So the "stop" line for those systemd entries is not acting. However, it works for other sections, like the "named" section shown above, and others I do not show for clarity.
Are systemd entries special?
I now have:
if ($msg contains 'Started Session' and $msg contains 'of user') \ then -/var/log/systemdpurged & stop
if ($programname == 'xinetd' or $syslogtag == '[xinetd]:') then -/var/log/xinetd.log & stop
I get the expected entries in xinetd.log and systemdpurged.
The xinetd entries do not appear in /var/log/messages, but the systemd entries do. The stop clause is ignored for them:
<3.6> 2014-03-01 17:13:01 Telcontar systemd 1 - - Starting Session 107 of user news. <3.6> 2014-03-01 17:15:02 Telcontar systemd 1 - - Starting Session 108 of user root.
I suddenly noticed that there are two very similar entries: <3.6> 2016-05-17 04:10:01 Telcontar systemd 1 - - Starting Session 21475 of user wwwrun. <3.6> 2016-05-17 04:10:01 Telcontar systemd 1 - - Started Session 21475 of user wwwrun. <3.6> 2016-05-17 04:15:01 Telcontar systemd 1 - - Starting Session 21478 of user news. <3.6> 2016-05-17 04:15:01 Telcontar systemd 1 - - Started Session 21478 of user news. I simply have to filter both "Starting" and "Started". Sigh. A year long problem finally solved! - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlc6gi0ACgkQtTMYHG2NR9UXJwCdHTFNc3NIMRYKt0FGoxYb5Jkz vwYAnjlioPwmtgNisuW/B46guL1SygTC =04Ie -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org