rsyslog expression based filter - 'startswith' not working

by vyom   Last Updated October 09, 2019 18:00 PM

I am trying to filter out some sshd logs like these into a separate file:

 sshd[14913]: Did not receive identification string from

I tried the following, and it worked:

if $programname == 'sshd' and
   $syslogfacility-text == 'security' and
   $syslogseverity == '6' then -/var/log/sshinfo.log
& stop

But this also matches user login/logout, so i tried to add a a message-match filter:

if $programname == 'sshd' and
   $msg startswith 'Did not'  and    # <---
   $syslogseverity == '6' then -/var/log/sshinfo.log
& stop

It doesn't work! (although contains works)

Is startswith broken, or is this usage incorrect?


# rsyslogd -v
rsyslogd 7.4.4, compiled with:
    FEATURE_REGEXP:             Yes
    FEATURE_LARGEFILE:          No
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
Tags : ubuntu ssh rsyslog

Related Questions

Updated October 02, 2019 12:00 PM

Updated April 28, 2017 09:00 AM

Updated July 16, 2015 15:00 PM

Updated October 15, 2015 06:00 AM

Updated March 23, 2016 08:00 AM