Without verification, but should work: # Mail servers log to their special section $FileCreateMode 0644 :FROMHOST, isequal, "magenta" -?magic-mail & ~ :FROMHOST, isequal, "cyan" -?magic-mail & ~ :FROMHOST, isequal, "orange" -?magic-mail & ~
# Firewalls :FROMHOST, isequal, "yin" -?firewall & ~ :FROMHOST, isequal, "yang" -?firewall & ~ *.* /var/log/catchrest & ~ discards the message after it is written to the file in question. Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Scott Baker > Sent: Friday, December 19, 2008 5:39 PM > To: rsyslog-users > Subject: Re: [rsyslog] Troubleshooting missing log entries > > Rainer Gerhards wrote: > > I'd still go for debug mode. You don't need to run it very long. We > just > > need to see how a few of these messages are fully processed. A proper > > test setup would be to start up in debug mode with the network cable > > pulled, then plug it in for a second or two, then unplug it again. > Once > > rsyslogd is finished processing, stop it. That should lead to useful > > info in the debug log. > > > > Oh - and are you sure that fromhost has the proper IP addresses? If > not > > 100% sure, verify it by putting something like '%FROMHOST%' into a > debug > > template (note that there is also FROMHOST-IP, which will have the IP > > address no matter if names are resolved or not). > > > I like the debug template idea, that's genius. Is there a way to have a > bunch of filters to catch assorted things, and then an "everything > leftover" filter? > > ----------------------------------------------------------------------- > - > > # Mail servers log to their special section > $FileCreateMode 0644 > :FROMHOST, isequal, "magenta" -?magic-mail > :FROMHOST, isequal, "cyan" -?magic-mail > :FROMHOST, isequal, "orange" -?magic-mail > > # Firewalls > :FROMHOST, isequal, "yin" -?firewall > :FROMHOST, isequal, "yang" -?firewall > > # Everything that didn't get caught by one of the above filters > (I have no idea what the syntax would be) > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
