I have a server sending me bad data, so I implmented the following rule to trap log messaages where the hostname isn't an IP address or name
:hostname, regex, "[a-zA-Z\.]" /file & ~ *.* /file2;fixformat unfortunantly it turns out that this also traps mark messages. the %rawmsg% for mark is just "-- MARK --" and apparently hostname is not populated (fromhost-ip is 127.0.0.1) I do have -x on the rsyslog command line, so it is not doing DNS resolution, but it should come up with either the local hostname or 127.0.0.1 as the hostname for locally generated messages. Either one of these would match my regex as being a 'normal' message This box is currently running 5.5.3 David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
