rsyslog doesn't work with property filter 'startswith'

Some problem for me on 10.04 (LTS) with rsyslog 4.2.0-2ubuntu8

This is a long term support release so think this bug should be moved up in importance.

Using 'contains' is a workaround but 'startswith' has significant efficiency gains when processing a lot of logs.

Status changed to 'Confirmed' because the bug affects multiple users.

I tried isequal and that doesn't work either. I assume rsyslogd is interpreting the timestamp, e.g. [ 8367.076851], as part of the message it is applying the filter to. In my case rsyslogd 4.6.4 on 11.04 (natty)

The problem seems to be that there's a leading space in the message.

:msg, startswith, " FIRE " -/var/log/fire.log
-> should work (at least for me it does)

I've seen on the debug log (rsyslog -d -n), this thing:
----
var '$msg': ' message goes here'
----

Which, via Google, lead me here: http://www.rsyslog.com/log-normalization-and-the-leading-space/

Where it says "The answer is, that messages are processed as RFC3164. In this RFC it is defined, that everything after the “:” of the syslog header is to be considered as the message. Thus, the message has a leading space now."

I can confirm that Radu Gheorghe (radu0gheorghe) is correct and have had to use the following template to discard the leading whitepsace.

  $template ApacheLogFormat,"%msg:2:10000%\n"

This is caused by the intersection of two distinct 'features'.

I'm investigating 12.04 Precise LTS with rsyslog version 5.8.6.

Firstly, a caution: the documentation for the imklog module on the rsyslog web-site is not version-specific and therefore cannot be relied upon for clear accurate information about the version carried by Ubuntu.

The issues are:

1. the imklog module receives Linux kernel log messages. The kernel prefixes those log messages with a time-stamp of the form "[174766.200834] ...". This is rsyslog's %msg% property.

2. The "startswith" compare-operator "Checks if the value is found exactly at the beginning of the property value".

So, when receiving kernel log messages they begin with a time-stamp which prevents use of the "startswith" operator to match on a log message prefix.

In version 7.3.4 of rsyslog released 7 December 2012 the imklog module has the operator "KeepKernelTimeStamp" which can be set to "off" to drop the time-stamps.