> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Ralph > Crongeyer > Sent: Monday, January 18, 2010 4:37 PM > To: Philip M. Gollucci > Cc: rsyslog-users > Subject: Re: [rsyslog] fromhost-ip > > Hi Phillip, > Thanks for the response. > The %HOSTNAME% part works fine here if I do this: > $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" > *.* -?DynFwall
Phillip suggested the rigth thing. > > However if I try to filter by IP using the "fromhost-ip" like this: > *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall The issue is that the config is wrong. "*.*" and ":fromhost..." are both filters. There can only be one filter in front of an action. As *.* maeans all messages, I assume ou actually wanted to do this: :fromhost-ip,isequal,"192.168.1.1" -?DynFwall Which filters alls messages based on fromhost-ip. The config format is clumpsy. I am currently talking with some folks at Adiscon, and we will probably create a cookbook-type doc that provides samples for some common scenarios. I guess that would be useful. Any feedback on that effort would be welcome. Rainer > > It fails to capture logs in the DynFwall template file. > > I've tried to do this with the "fromhost" and the "fromhost-ip" and > neither seem to work? > > I want to have it so that a specific host IP uses a specific template. > > It looks like the fromhost and the fromhost-ip arn't working > at all? Or > my config is wrong. > > Dose anyone on the list have "fromhost-ip" working? > > Thanks, > Ralph > > Philip M. Gollucci wrote: > > On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: > > > >> # Firewall logs # > >> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" > >> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall > >> > >> But I just getting this error in /var/log/syslog: > >> > >> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" > >> swVersion="4.4.2" x-pid="12540" > x-info="http://www.rsyslog.com";] (re)start > >> Jan 17 16:49:47 log rsyslogd: the last error occured in > >> /etc/rsyslog.d/remote-logs.conf, line 10 > >> Jan 17 16:49:47 log rsyslogd: warning: selector line > without actions > >> will be discarded > >> Jan 17 16:49:47 log rsyslogd: the last error occured in > >> /etc/rsyslog.conf, line 48 > >> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not > interpret > >> master config file '/etc/rsyslog.conf'. [try > http://www.rsyslog.com/e/2124 ] > >> > >> I'm trying to log all logs from my IPCop host to > >> "/var/log/server-logs/firewall/%HOSTNAME%.log" . > >> > > > > I tried for 1.5 days to figure this out cutting and pasting examples > > left and right. Finally I came up with the following with > works well > > for me, you should be able to tweak it slightly for yourself. > > > > > > $template by_prog,"/var/log/rws/%programname%.log" > > > > :programname, regex, "^pxy.*rc\." ?by_prog > > & :omrelp:cl.dca1.rws:2514 > > & ~ > > > > Just sub out %programname% for %HOSTNAME% > > > > > > > > > > > -- > Reminds me of my expedition into the wilds of Afghanistan. We > lost our > corkscrew and were compelled to live on food and water for > several days. - > WC Fields > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
