The issue is that these statements $ActionExecOnlyOnceEveryInterval 300 $ActionExecOnlyEveryNthTimeTimeout 1200 $ActionExecOnlyEveryNthTime 3
Modify the *next* action. So you need to specify them in front of the action. If you use the $includeConfig option, and have part of the action inside the include file and other parts (the statements) outside (or vice versa), you never know which action gets configured how. So place all of them together. HTH Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Julian Yap > Sent: Monday, March 16, 2009 9:15 AM > To: rsyslog-users > Subject: Re: [rsyslog] Logging all messages from a remote server > > OK, I narrowed the issues down. Now I've faced strange issues like > this before when using the $IncludeConfig directive. > > This is what I have just tested with in my /etc/rsyslog.conf file (and > other lines) and it worked fine: > ---- > $IncludeConfig /etc/rsyslog.d/ > :FROMHOST, isequal, "server" /var/log/remote/server/all > ---- > > Now if I have a file /etc/rsyslog.d/testalert_for_another_server, > things turn strange and only certain messages are logged from the > first server.: > ---- > $ModLoad ommail > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > $template DYNserver2, "/var/log/remote/server2.log" > $template TraditionalFormatNoHostname,"%timegenerated% > %syslogtag%%msg:::drop-last-lf%\n" > > if $hostname == 'server2.domain.com' then > ?DYNserver2;TraditionalFormatNoHostname > > $ActionMailFrom [email protected] > $ActionMailTo server2_alert > $template mailSubjectTestAlert,"INFO: Alert detected" > $template mailBodyTestAlert,"Message is..." > $ActionMailSubject mailSubjectTestAlert > $ActionExecOnlyOnceEveryInterval 300 > $ActionExecOnlyEveryNthTimeTimeout 1200 > $ActionExecOnlyEveryNthTime 3 > > if $hostname == 'server2.domain.com' and $msg contains 'Some message' > then :ommail:;mailBodyTestAlert > ---- > > Now if I add the contents of > /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and > remove file /etc/rsyslog.d/testalert_for_another_server) then things > work fine... > > Now if I remove the previous changes to /etc/rsyslog.conf and modify > /etc/rsyslog.d/testalert_for_another_server and remove the following > lines then things work OK again: > $ActionExecOnlyOnceEveryInterval 300 > $ActionExecOnlyEveryNthTimeTimeout 1200 > $ActionExecOnlyEveryNthTime 3 > > > - Julian > > > On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: > > On Sun, 15 Mar 2009, Julian Yap wrote: > > > >> I'm having trouble logging ALL the syslog messages received from a > >> server. I'm not sure if it's because it's from a non-standard piece > >> of hardware (ie. not a Linux server). Logging to another server > >> running syslogd works fine (but syslogd doesn't allow me to log > >> messages from a remote server to a separate file and it's not my > >> central syslogd server). > >> > >> I've tried several lines but none seem to work for me: > >> if $fromhost == 'server' then /var/log/remote/server/all > >> if $source == 'server' then /var/log/remote/server/all > >> :FROMHOST, isequal, "server" /var/log/remote/server/all > >> if $fromhost == 'server.domain.com' then /var/log/remote/server/all > >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all > > > > there are a few possible reasons that this could have problems > > > > is it that you have a high volume of logs and some just get dropped? > > > > if you just write everything to a file (*.* /var/log/test) does it > have > > all the logs from this server? or is it missing some? > > > > do the logs from this server sometimes include the host and sometimes > not? > > > > what is different between the logs that you match and the ones that > you > > miss? > > > > David Lang > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
