No, I'm starting with -c4. I'll give it a try but ultimately I need to filter in IP.
I'll try it when I get back from dinner...... Thanks again for your help with this guys. [email protected] wrote: > Ok, this says that fromhost-ip is not being set in your case. > > I think I ran into a similar problem before, are you starting with -x to > disable name lookups? > > try changing from fromhost-ip to fromhost > > David Lang > > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > > >> This ma be of help: >> >> 0928.085091536:imrelp.c: Message has legacy syslog format. >> 0928.085124502:imrelp.c: main queue: entry added, size now 1 entries >> 0928.085150205:imrelp.c: wtpAdviseMaxWorkers signals busy >> 0928.085355268:main queue:Reg/w0: main queue: entry deleted, state 0, >> size now 0 entries >> 0928.085416731:main queue:Reg/w0: result of expression evaluation: 0 >> 0928.085443830:main queue:Reg/w0: Filter: check for property >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> 0928.085582122:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> waiting for work. >> 0928.085693593:imrelp.c: main queue: EnqueueMsg advised worker start >> 0928.085812887:imrelp.c: tcpSend returns 17 >> 0928.085841383:imrelp.c: in destructor: sendbuf 0x9bc9228 >> 0928.086029125:imrelp.c: relp engine is dispatching frame with command >> 'syslog' >> 0928.086053430:imrelp.c: in 'syslog' command handler >> 0928.086100366:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg >> 2010-01-18T16:41:14.104596-05:00 spoonie postfix/smtpd[7528]: lost >> connection after RCPT from 81-64-60-151.rev.numericable.fr[81.64.60.151] >> 0928.086124392:imrelp.c: Message has legacy syslog format. >> 0928.086157638:imrelp.c: main queue: entry added, size now 1 entries >> 0928.086202059:imrelp.c: wtpAdviseMaxWorkers signals busy >> 0928.086419414:main queue:Reg/w0: main queue: entry deleted, state 0, >> size now 0 entries >> 0928.086486185:main queue:Reg/w0: result of expression evaluation: 0 >> 0928.086514402:main queue:Reg/w0: Filter: check for property >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> 0928.086771149:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> waiting for work. >> 0928.086895193:imrelp.c: main queue: EnqueueMsg advised worker start >> 0928.087044659:imrelp.c: tcpSend returns 17 >> 0928.087074832:imrelp.c: in destructor: sendbuf 0x9bc9e10 >> 0928.087110313:imrelp.c: relp engine is dispatching frame with command >> 'syslog' >> 0928.087131545:imrelp.c: in 'syslog' command handler >> 0928.087176805:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg >> 2010-01-18T16:41:14.104922-05:00 spoonie postfix/smtpd[7528]: disconnect >> from 81-64-60-151.rev.numericable.fr[81.64.60.151] >> 0928.087200552:imrelp.c: Message has legacy syslog format. >> 0928.087232959:imrelp.c: main queue: entry added, size now 1 entries >> 0928.087286600:imrelp.c: wtpAdviseMaxWorkers signals busy >> 0928.087482163:main queue:Reg/w0: main queue: entry deleted, state 0, >> size now 0 entries >> 0928.087581622:main queue:Reg/w0: result of expression evaluation: 0 >> 0928.087609280:main queue:Reg/w0: Filter: check for property >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> 0928.087783052:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> waiting for work. >> 0928.087897597:imrelp.c: main queue: EnqueueMsg advised worker start >> 0928.088020802:imrelp.c: tcpSend returns 17 >> 0928.088049857:imrelp.c: in destructor: sendbuf 0x9bc9d58 >> 0928.088078912:imrelp.c: relpSendqIsEmpty() returns 1 >> 0928.088099586:imrelp.c: ***<librelp> calling select, active file >> descriptors (max 23): 6 7 23 >> 0988.087889021:main queue:Reg/w0: main queue:Reg/w0: inactivity timeout, >> worker terminating... >> 0988.088192704:main queue:Reg/w0: main queue:Reg/w0: receiving command 1 >> 0988.088222318:main queue:Reg/w0: main queue:Reg/w0: worker terminating >> 0988.088247741:main queue:Reg/w0: main queue:Reg: Worker thread 9bb5a08, >> terminated, num workers now 0 >> 0988.088339377:main queue:Reg/w0: destructor for debug call stack >> 0x9bd1260 called >> >> >> Ralph Crongeyer wrote: >> >>> Here's the debug output when configured with single quotes. >>> I'm sending this off the list to Rainer. >>> David, let me know if you want this also. >>> >>> Thanks guys, >>> Ralph >>> >>> Rainer Gerhards wrote: >>> >>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of [email protected] >>>>> Sent: Monday, January 18, 2010 10:02 PM >>>>> To: rsyslog-users >>>>> Subject: Re: [rsyslog] fromhost-ip >>>>> >>>>> On Mon, 18 Jan 2010, Rainer Gerhards wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> David, >>>>>> >>>>>> Single quotes are right in the scripting engine (double >>>>>> >>>>>> >>>>>> >>>>> quotes are reserved >>>>> >>>>> >>>>> >>>>>> for future use - they shall provide the capability to >>>>>> >>>>>> >>>>>> >>>>> extend macros, e.g. >>>>> >>>>> >>>>> >>>>>> $A="BC" => '$A' is the string "$A", while "$A" is supposed >>>>>> >>>>>> >>>>>> >>>>> to be the string >>>>> >>>>> >>>>> >>>>>> "BC"). >>>>>> >>>>>> >>>>>> >>>>> that is the normal behavior of single vs double quotes, but in such >>>>> situations it's normal for 'ABC' and "ABC" to be equivalent, >>>>> it's only >>>>> when you have variables involved that there would be a difference. >>>>> >>>>> >>>>> >>>> Jup, that's right - but double quotes are not yet implemented ;) >>>> >>>> Rainer >>>> >>>> >>>> >>>>> David Lang >>>>> >>>>> >>>>> >>>>> >>>>>> I don't have an idea what may be wrong, but running rsyslog >>>>>> >>>>>> >>>>>> >>>>> in debug mode >>>>> >>>>> >>>>> >>>>>> will most probably pinpoint it. >>>>>> >>>>>> Rainer >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of >>>>>>> >>>>>>> >>>>>>> >>>>> [email protected] >>>>> >>>>> >>>>> >>>>>>> Sent: Monday, January 18, 2010 9:57 PM >>>>>>> To: rsyslog-users >>>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>>> >>>>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> When I switched to double quotes I get the error in >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> /var/log/syslog and >>>>>>> >>>>>>> >>>>>>> >>>>>>>> no logs are collected? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> what was the error you got this time? >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>>> >>> >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Reminds me of my expedition into the wilds of Afghanistan. We lost our corkscrew and were compelled to live on food and water for several days. - WC Fields _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
