On Thu, 2008-12-18 at 11:59 -0800, Scott Baker wrote: > I have the following entry in my rsyslog conf, to match entries based on IP > address. Somehow it's not matching any entries. > > # Switches > $FileCreateMode 0644 > :FROMHOST, isequal, "65.182.224.13" -?switches # Necalea > :FROMHOST, isequal, "65.182.224.202" -?switches > :FROMHOST, isequal, "66.206.80.60" -?switches > > If I do a tcpdump I see syslog hitting the box, it's just rsyslog isn't > handling it right. > > 11:58:20.722867 IP 65.182.224.13.8888 > 65.182.224.26.514: SYSLOG > local4.info, length: 121 > 11:58:23.962613 IP 65.182.224.13.8888 > 65.182.224.26.514: SYSLOG > local4.info, length: 130 > 11:58:41.242621 IP 65.182.224.13.8888 > 65.182.224.26.514: SYSLOG > local4.info, length: 108 > 11:58:45.874064 IP 65.182.224.13.8888 > 65.182.224.26.514: SYSLOG > local4.info, length: 130 > > This box gets about 500 lines of syslog a minute so I can't really turn on > debug. How else can I troubleshoot this? This is a Fedora 8 box running: > rsyslog-2.0.2-3.fc8
I'd still go for debug mode. You don't need to run it very long. We just need to see how a few of these messages are fully processed. A proper test setup would be to start up in debug mode with the network cable pulled, then plug it in for a second or two, then unplug it again. Once rsyslogd is finished processing, stop it. That should lead to useful info in the debug log. Oh - and are you sure that fromhost has the proper IP addresses? If not 100% sure, verify it by putting something like '%FROMHOST%' into a debug template (note that there is also FROMHOST-IP, which will have the IP address no matter if names are resolved or not). HTH, Rainer > > - Scott > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
