Rainer Gerhards wrote: > Mmhhh... once we have expression support, that will be an easy thing to > do. Currently, I think there are a number of clumpsy work-arounds. We > are around two month away from expressions, at least if all goes well. > > I think you can achive something with BDS-style filter blocks > (!progname/-host/+host), something along these lines: > > -host > mail.* /var/log/maillog > +hostname > mail.* /var/log/mail-server.log > > Of course, this is hostname specific (and that again is not the IP but > what is in the message...) > > To get to the IP, I think you can get at least some way with class A,B,C > addresses, but NOT with any other masks. Here is the idea: > > $template dsl, /var/log/dsl-%$NOW%.log > $template routers, /var/log/routers-%$NOW%.log > :FROMHOST, startswith, "192.168.1." -?dsl > :FROMHOST, startswith, "192.168.3." -?routers > :FROMHOST, startswith, "10.1.1." -?routers > > Common pitfall: be sure to include the trailing dot in the condition to > match. If the rule were > > :FROMHOST, startswith, "192.168.1" -?dsl > > It would match 192.168.1.1.2, 192.168.1.1.2 but also 192.168.1.11.2! > > With the current engine, there are unfortunately no logical operations > available. So you cannot check for mail facility or whatever else. A > somewhat crude work-around would be to include the facility in the file > name, e.g. by specifying it as follows: > > $template dsl, /var/log/dsl-%syslogfacility-text%-%$NOW%.log > > That, of course, will result in a file written for each facility, even > those that you are not interested in. A unfortunately do not have a > solution for this now. > > With v3 expressions, I envision something along these lines: > > If maskmatch(FROMHOST, "192.168.1.0", 24) and syslog-facility-text == > "mail" then > writefile "/var/log/dslmail-%$NOW%" > > But that is not possible yet. And this is only an idea, not the actual > config file format we will have at that time. In my blog, there are a > number of posts about it, but the bottom line is that it is not yet > designed: > > http://rgerhards.blogspot.com/2007/08/on-rsyslog-config-file-format.html > > Doc about current capabilities is here: > > http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_conf.html.phtml > > search for "Filter Conditions" on that page. > > The properties you need are documented here: > > http://www.rsyslog.com/module-Static_Docs-view-f-property_replacer.html. > phtml > > Keep in mind they ARE CASE-SENSITIVE! (and don't ask me why I had that > idea... ;)) > > As always, feedback is appreciated. I would be most interested to learn > at which final config you arrived.
Awesome! This is TOTALLY workable for what we're doing. I'm trying to set it up and getting a weird message: ------------------------------------------------------------------ Dec 21 08:43:17 green rsyslogd:error: extra characters in config line ignored: '/var/log/cisco-dsl-%$NOW%.log' Dec 21 08:43:17 green rsyslogd: Could not find template 'dsl' - action disabled Dec 21 08:43:17 green rsyslogd:the last error occured in /etc/rsyslog.conf, line 37 ------------------------------------------------------------------ The config I used it almost exactly what you provided... $template dsl, /var/log/cisco-dsl-%$NOW%.log :FROMHOST, startswith, "10.3." -?dsl Am I missing something basic? -- Scott Baker - Canby Telcom RHCE - System Administrator - 503.266.8253 _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
