Scott,

So now a bit more in-depth: the HOSTNAME is taken form the syslog message, 
while FROMHOST is the last hope. There is only a difference in relay scenarios 
- or, like here, based on DNS resolution. This is why you see different values. 
The point is to match against the same one that is used in the catchall rule.

However, I think the most appropriate thing to do is add a FROMHOST-IP 
property, which always has the IP address of the sender, no matter if the -x 
option is given or not.

Would that help?

Rainer 

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Rainer Gerhards
> Sent: Monday, December 24, 2007 7:59 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Hostname matching with DNS
> 
> Really quick: check the HOSTNAME (or so ;)) property. 
> 
> ----- Ursprüngliche Nachricht -----
> Von: "Scott Baker" <[EMAIL PROTECTED]>
> An: "rsyslog-users" <[email protected]>
> Gesendet: 24.12.07 19:10
> Betreff: [rsyslog] Hostname matching with DNS
> 
> I have a couple host on private IPs 10.x.x.x and thus they have no
> DNS entries. So rather that log the IP in syslog I setup host
> entries for them.
> 
> If I do something like
> 
> :FROMHOST, isequal, "foobar"                -?dialup
> 
> it doesn't match the /etc/hosts entry I have for foobar. If I setup
> a catchall entry that goes to a test log I see the line
> 
> Dec 24 10:06:23 foobar [This is the message]
> 
> So it's logging the hostname like I would expect it to (rsyslog is
> aware of the host entry) but I can't match against it? Unfortunately
> my server is SUPER busy now and I can't put the server in debug mode
> to check what's coming across. Is there another way I could 
> check this?
> 
> -- 
> Scott Baker - Canby Telcom
> RHCE - System Administrator - 503.266.8253
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> 
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Reply via email to