Ok, this says that fromhost-ip is not being set in your case. I think I ran into a similar problem before, are you starting with -x to disable name lookups?
try changing from fromhost-ip to fromhost David Lang On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > This ma be of help: > > 0928.085091536:imrelp.c: Message has legacy syslog format. > 0928.085124502:imrelp.c: main queue: entry added, size now 1 entries > 0928.085150205:imrelp.c: wtpAdviseMaxWorkers signals busy > 0928.085355268:main queue:Reg/w0: main queue: entry deleted, state 0, > size now 0 entries > 0928.085416731:main queue:Reg/w0: result of expression evaluation: 0 > 0928.085443830:main queue:Reg/w0: Filter: check for property > 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > 0928.085582122:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > waiting for work. > 0928.085693593:imrelp.c: main queue: EnqueueMsg advised worker start > 0928.085812887:imrelp.c: tcpSend returns 17 > 0928.085841383:imrelp.c: in destructor: sendbuf 0x9bc9228 > 0928.086029125:imrelp.c: relp engine is dispatching frame with command > 'syslog' > 0928.086053430:imrelp.c: in 'syslog' command handler > 0928.086100366:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg > 2010-01-18T16:41:14.104596-05:00 spoonie postfix/smtpd[7528]: lost > connection after RCPT from 81-64-60-151.rev.numericable.fr[81.64.60.151] > 0928.086124392:imrelp.c: Message has legacy syslog format. > 0928.086157638:imrelp.c: main queue: entry added, size now 1 entries > 0928.086202059:imrelp.c: wtpAdviseMaxWorkers signals busy > 0928.086419414:main queue:Reg/w0: main queue: entry deleted, state 0, > size now 0 entries > 0928.086486185:main queue:Reg/w0: result of expression evaluation: 0 > 0928.086514402:main queue:Reg/w0: Filter: check for property > 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > 0928.086771149:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > waiting for work. > 0928.086895193:imrelp.c: main queue: EnqueueMsg advised worker start > 0928.087044659:imrelp.c: tcpSend returns 17 > 0928.087074832:imrelp.c: in destructor: sendbuf 0x9bc9e10 > 0928.087110313:imrelp.c: relp engine is dispatching frame with command > 'syslog' > 0928.087131545:imrelp.c: in 'syslog' command handler > 0928.087176805:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg > 2010-01-18T16:41:14.104922-05:00 spoonie postfix/smtpd[7528]: disconnect > from 81-64-60-151.rev.numericable.fr[81.64.60.151] > 0928.087200552:imrelp.c: Message has legacy syslog format. > 0928.087232959:imrelp.c: main queue: entry added, size now 1 entries > 0928.087286600:imrelp.c: wtpAdviseMaxWorkers signals busy > 0928.087482163:main queue:Reg/w0: main queue: entry deleted, state 0, > size now 0 entries > 0928.087581622:main queue:Reg/w0: result of expression evaluation: 0 > 0928.087609280:main queue:Reg/w0: Filter: check for property > 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > 0928.087783052:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > waiting for work. > 0928.087897597:imrelp.c: main queue: EnqueueMsg advised worker start > 0928.088020802:imrelp.c: tcpSend returns 17 > 0928.088049857:imrelp.c: in destructor: sendbuf 0x9bc9d58 > 0928.088078912:imrelp.c: relpSendqIsEmpty() returns 1 > 0928.088099586:imrelp.c: ***<librelp> calling select, active file > descriptors (max 23): 6 7 23 > 0988.087889021:main queue:Reg/w0: main queue:Reg/w0: inactivity timeout, > worker terminating... > 0988.088192704:main queue:Reg/w0: main queue:Reg/w0: receiving command 1 > 0988.088222318:main queue:Reg/w0: main queue:Reg/w0: worker terminating > 0988.088247741:main queue:Reg/w0: main queue:Reg: Worker thread 9bb5a08, > terminated, num workers now 0 > 0988.088339377:main queue:Reg/w0: destructor for debug call stack > 0x9bd1260 called > > > Ralph Crongeyer wrote: >> Here's the debug output when configured with single quotes. >> I'm sending this off the list to Rainer. >> David, let me know if you want this also. >> >> Thanks guys, >> Ralph >> >> Rainer Gerhards wrote: >> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of [email protected] >>>> Sent: Monday, January 18, 2010 10:02 PM >>>> To: rsyslog-users >>>> Subject: Re: [rsyslog] fromhost-ip >>>> >>>> On Mon, 18 Jan 2010, Rainer Gerhards wrote: >>>> >>>> >>>> >>>>> David, >>>>> >>>>> Single quotes are right in the scripting engine (double >>>>> >>>>> >>>> quotes are reserved >>>> >>>> >>>>> for future use - they shall provide the capability to >>>>> >>>>> >>>> extend macros, e.g. >>>> >>>> >>>>> $A="BC" => '$A' is the string "$A", while "$A" is supposed >>>>> >>>>> >>>> to be the string >>>> >>>> >>>>> "BC"). >>>>> >>>>> >>>> that is the normal behavior of single vs double quotes, but in such >>>> situations it's normal for 'ABC' and "ABC" to be equivalent, >>>> it's only >>>> when you have variables involved that there would be a difference. >>>> >>>> >>> Jup, that's right - but double quotes are not yet implemented ;) >>> >>> Rainer >>> >>> >>>> David Lang >>>> >>>> >>>> >>>>> I don't have an idea what may be wrong, but running rsyslog >>>>> >>>>> >>>> in debug mode >>>> >>>> >>>>> will most probably pinpoint it. >>>>> >>>>> Rainer >>>>> >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of >>>>>> >>>>>> >>>> [email protected] >>>> >>>> >>>>>> Sent: Monday, January 18, 2010 9:57 PM >>>>>> To: rsyslog-users >>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>> >>>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>>>>> >>>>>> >>>>>> >>>>>>> When I switched to double quotes I get the error in >>>>>>> >>>>>>> >>>>>> /var/log/syslog and >>>>>> >>>>>> >>>>>>> no logs are collected? >>>>>>> >>>>>>> >>>>>> what was the error you got this time? >>>>>> >>>>>> David Lang >>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> >> >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
