rsyslog stop command copies messages instead of moving

Question

On Ubuntu 18.04 with rsyslogd 8.32.0,

To move log entries from my service, named "mqtt433", I have added the following into /etc/rsyslog.d/50-default.conf:

if $programname == 'mqtt433' then {
    action(type="omfile" File="/var/log/mqtt433_log.log")
    stop
}

which creates the file /var/log/mqtt433_log.log and appends log messages from the service to it, as expected. What it shouldn't do in my understanding, is that it should not keep the lines in the default file (/var/log/syslog), while it does.

In other words, it should move message to the new file, not copy them.

I've also tried the old rule syntax, with the same result.

:programname, isequal, "mqtt433" /var/log/mqtt433.log
& stop

Also I've tried the deprecated syntax

& ~

instead of

& stop

with no luck.

What am I doing wrong?

Answer 1

Make sure your conf file is being read before any other rules. For example, check there are no earlier files in directory /etc/rsyslog.d/, and no filter rules in the rsyslog.conf before the $IncludeConfig /etc/rsyslog.d/*.conf line that is including your configuration at that point. Typically, rules are placed after a ## RULES ## comment, and are executed in the order they appear.