OK, I narrowed the issues down. Now I've faced strange issues like this before when using the $IncludeConfig directive.
This is what I have just tested with in my /etc/rsyslog.conf file (and other lines) and it worked fine: ---- $IncludeConfig /etc/rsyslog.d/ :FROMHOST, isequal, "server" /var/log/remote/server/all ---- Now if I have a file /etc/rsyslog.d/testalert_for_another_server, things turn strange and only certain messages are logged from the first server.: ---- $ModLoad ommail $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $template DYNserver2, "/var/log/remote/server2.log" $template TraditionalFormatNoHostname,"%timegenerated% %syslogtag%%msg:::drop-last-lf%\n" if $hostname == 'server2.domain.com' then ?DYNserver2;TraditionalFormatNoHostname $ActionMailFrom [email protected] $ActionMailTo server2_alert $template mailSubjectTestAlert,"INFO: Alert detected" $template mailBodyTestAlert,"Message is..." $ActionMailSubject mailSubjectTestAlert $ActionExecOnlyOnceEveryInterval 300 $ActionExecOnlyEveryNthTimeTimeout 1200 $ActionExecOnlyEveryNthTime 3 if $hostname == 'server2.domain.com' and $msg contains 'Some message' then :ommail:;mailBodyTestAlert ---- Now if I add the contents of /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and remove file /etc/rsyslog.d/testalert_for_another_server) then things work fine... Now if I remove the previous changes to /etc/rsyslog.conf and modify /etc/rsyslog.d/testalert_for_another_server and remove the following lines then things work OK again: $ActionExecOnlyOnceEveryInterval 300 $ActionExecOnlyEveryNthTimeTimeout 1200 $ActionExecOnlyEveryNthTime 3 - Julian On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: > On Sun, 15 Mar 2009, Julian Yap wrote: > >> I'm having trouble logging ALL the syslog messages received from a >> server. I'm not sure if it's because it's from a non-standard piece >> of hardware (ie. not a Linux server). Logging to another server >> running syslogd works fine (but syslogd doesn't allow me to log >> messages from a remote server to a separate file and it's not my >> central syslogd server). >> >> I've tried several lines but none seem to work for me: >> if $fromhost == 'server' then /var/log/remote/server/all >> if $source == 'server' then /var/log/remote/server/all >> :FROMHOST, isequal, "server" /var/log/remote/server/all >> if $fromhost == 'server.domain.com' then /var/log/remote/server/all >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all > > there are a few possible reasons that this could have problems > > is it that you have a high volume of logs and some just get dropped? > > if you just write everything to a file (*.* /var/log/test) does it have > all the logs from this server? or is it missing some? > > do the logs from this server sometimes include the host and sometimes not? > > what is different between the logs that you match and the ones that you > miss? > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
