On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > Thanks David, > Ok so now I'm trying this: > > $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" > if $fromhost-ip == '192.168.1.1' and $syslogfacility-text == 'mail' then > ?DynMail
you can't use single quotes, you must use double quotes (apparently the config language uses single quotes for something else, I don't know what) I've tripped over this several times now. David Lang > After a restart of rsyslog there are no errors in /var/log/syslog > however no logs are being collected? > > Thanks for your help with this David. > > Ralph > > [email protected] wrote: >> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >> >> >>> Ok one more question. >>> I have: >>> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >>> mail.* -?DynMail >>> >>> Which logs all mail to the %HOSTNAME%.mail.log. >>> >>> My guess would be: >>> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >>> mail.* :fromhost-ip,isequal,"192.168.1.1" -?DynMail >>> >>> But as Rainer explained these are both filters which won't work. >>> >>> So how do I use "fromhost-ip" to send only "mail.*" logs from a >>> specified host IP to the "DynMail" template? >>> >> >> you need to use the more powerful/complex >> >> if ((condition) and (condition)) action >> >> line format >> >> David Lang >> >> >>> Thanks, >>> Ralph >>> >>> Ralph Crongeyer wrote: >>> >>>> Oh, >>>> I tried that but I had it on the same line. So that has to be on a >>>> separate line? >>>> >>>> Thanks again for the explanation that really helps me understand how >>>> it's working. >>>> >>>> Thanks again for all your help with this. >>>> >>>> Ralph >>>> >>>> [email protected] wrote: >>>> >>>> >>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Hi Rainer, >>>>>> Thanks for the explanation, that helps me understand how it's working. >>>>>> >>>>>> That works, the logs are going to the correct file, however they are >>>>>> also being sent to /var/log/syslog? How can I make all the logs from my >>>>>> host "192.168.1.1" go only to the "-?DynFwall" template file? >>>>>> >>>>>> >>>>>> >>>>> after you tell rsyslog to put the logs in that file, you then need to tell >>>>> rsyslog to throw the log away. >>>>> >>>>> so you would do something like >>>>> >>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>> & ~ >>>>> >>>>> which is logicly the same as >>>>> >>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>> :fromhost-ip,isequal,"192.168.1.1" ~ >>>>> >>>>> David Lang >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> I would like to give feedback on the cookbook let me know how I can help. >>>>>> >>>>>> Thanks all, for your help with this. >>>>>> Ralph >>>>>> >>>>>> Rainer Gerhards wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: [email protected] >>>>>>>> [mailto:[email protected]] On Behalf Of Ralph >>>>>>>> Crongeyer >>>>>>>> Sent: Monday, January 18, 2010 4:37 PM >>>>>>>> To: Philip M. Gollucci >>>>>>>> Cc: rsyslog-users >>>>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>>>> >>>>>>>> Hi Phillip, >>>>>>>> Thanks for the response. >>>>>>>> The %HOSTNAME% part works fine here if I do this: >>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>> *.* -?DynFwall >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Phillip suggested the rigth thing. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>>>>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >>>>>>> filters. There can only be one filter in front of an action. As *.* >>>>>>> maeans >>>>>>> all messages, I assume ou actually wanted to do this: >>>>>>> >>>>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>>> >>>>>>> Which filters alls messages based on fromhost-ip. >>>>>>> >>>>>>> The config format is clumpsy. I am currently talking with some folks at >>>>>>> Adiscon, and we will probably create a cookbook-type doc that provides >>>>>>> samples for some common scenarios. I guess that would be useful. Any >>>>>>> feedback >>>>>>> on that effort would be welcome. >>>>>>> >>>>>>> Rainer >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> It fails to capture logs in the DynFwall template file. >>>>>>>> >>>>>>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>>>>>> neither seem to work? >>>>>>>> >>>>>>>> I want to have it so that a specific host IP uses a specific template. >>>>>>>> >>>>>>>> It looks like the fromhost and the fromhost-ip arn't working >>>>>>>> at all? Or >>>>>>>> my config is wrong. >>>>>>>> >>>>>>>> Dose anyone on the list have "fromhost-ip" working? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Ralph >>>>>>>> >>>>>>>> Philip M. Gollucci wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> # Firewall logs # >>>>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>>>>>> >>>>>>>>>> But I just getting this error in /var/log/syslog: >>>>>>>>>> >>>>>>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>>>>>> swVersion="4.4.2" x-pid="12540" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> x-info="http://www.rsyslog.com";] (re)start >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> without actions >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> will be discarded >>>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>>> /etc/rsyslog.conf, line 48 >>>>>>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> interpret >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> http://www.rsyslog.com/e/2124 ] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> I'm trying to log all logs from my IPCop host to >>>>>>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>>>>>> left and right. Finally I came up with the following with >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> works well >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> for me, you should be able to tweak it slightly for yourself. >>>>>>>>> >>>>>>>>> >>>>>>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>>>>>> >>>>>>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>>>>>> & :omrelp:cl.dca1.rws:2514 >>>>>>>>> & ~ >>>>>>>>> >>>>>>>>> Just sub out %programname% for %HOSTNAME% >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>>>>>> lost our >>>>>>>> corkscrew and were compelled to live on food and water for >>>>>>>> several days. - >>>>>>>> WC Fields >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
