Rainer, Would you recommend against using $includeConfig? In that case, it tends to lead to more unknown config issues.
- Julian On Sun, Mar 15, 2009 at 10:52 PM, Rainer Gerhards <[email protected]> wrote: > The issue is that these statements > > $ActionExecOnlyOnceEveryInterval 300 > $ActionExecOnlyEveryNthTimeTimeout 1200 > $ActionExecOnlyEveryNthTime 3 > > Modify the *next* action. So you need to specify them in front of the action. > If you use the $includeConfig option, and have part of the action inside the > include file and other parts (the statements) outside (or vice versa), you > never know which action gets configured how. So place all of them together. > > HTH > Rainer > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of Julian Yap >> Sent: Monday, March 16, 2009 9:15 AM >> To: rsyslog-users >> Subject: Re: [rsyslog] Logging all messages from a remote server >> >> OK, I narrowed the issues down. Now I've faced strange issues like >> this before when using the $IncludeConfig directive. >> >> This is what I have just tested with in my /etc/rsyslog.conf file (and >> other lines) and it worked fine: >> ---- >> $IncludeConfig /etc/rsyslog.d/ >> :FROMHOST, isequal, "server" /var/log/remote/server/all >> ---- >> >> Now if I have a file /etc/rsyslog.d/testalert_for_another_server, >> things turn strange and only certain messages are logged from the >> first server.: >> ---- >> $ModLoad ommail >> >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> >> $template DYNserver2, "/var/log/remote/server2.log" >> $template TraditionalFormatNoHostname,"%timegenerated% >> %syslogtag%%msg:::drop-last-lf%\n" >> >> if $hostname == 'server2.domain.com' then >> ?DYNserver2;TraditionalFormatNoHostname >> >> $ActionMailFrom [email protected] >> $ActionMailTo server2_alert >> $template mailSubjectTestAlert,"INFO: Alert detected" >> $template mailBodyTestAlert,"Message is..." >> $ActionMailSubject mailSubjectTestAlert >> $ActionExecOnlyOnceEveryInterval 300 >> $ActionExecOnlyEveryNthTimeTimeout 1200 >> $ActionExecOnlyEveryNthTime 3 >> >> if $hostname == 'server2.domain.com' and $msg contains 'Some message' >> then :ommail:;mailBodyTestAlert >> ---- >> >> Now if I add the contents of >> /etc/rsyslog.d/testalert_for_another_server to /etc/rsyslog.conf (and >> remove file /etc/rsyslog.d/testalert_for_another_server) then things >> work fine... >> >> Now if I remove the previous changes to /etc/rsyslog.conf and modify >> /etc/rsyslog.d/testalert_for_another_server and remove the following >> lines then things work OK again: >> $ActionExecOnlyOnceEveryInterval 300 >> $ActionExecOnlyEveryNthTimeTimeout 1200 >> $ActionExecOnlyEveryNthTime 3 >> >> >> - Julian >> >> >> On Sun, Mar 15, 2009 at 7:16 PM, <[email protected]> wrote: >> > On Sun, 15 Mar 2009, Julian Yap wrote: >> > >> >> I'm having trouble logging ALL the syslog messages received from a >> >> server. I'm not sure if it's because it's from a non-standard piece >> >> of hardware (ie. not a Linux server). Logging to another server >> >> running syslogd works fine (but syslogd doesn't allow me to log >> >> messages from a remote server to a separate file and it's not my >> >> central syslogd server). >> >> >> >> I've tried several lines but none seem to work for me: >> >> if $fromhost == 'server' then /var/log/remote/server/all >> >> if $source == 'server' then /var/log/remote/server/all >> >> :FROMHOST, isequal, "server" /var/log/remote/server/all >> >> if $fromhost == 'server.domain.com' then /var/log/remote/server/all >> >> if $fromhost-ip == '192.168.0.60' then /var/log/remote/server/all >> > >> > there are a few possible reasons that this could have problems >> > >> > is it that you have a high volume of logs and some just get dropped? >> > >> > if you just write everything to a file (*.* /var/log/test) does it >> have >> > all the logs from this server? or is it missing some? >> > >> > do the logs from this server sometimes include the host and sometimes >> not? >> > >> > what is different between the logs that you match and the ones that >> you >> > miss? >> > >> > David Lang >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
