David, I now checked
> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of [email protected] > Sent: Saturday, July 24, 2010 6:57 AM > To: rsyslog-users > Subject: [rsyslog] mark messages > > I have a server sending me bad data, so I implmented the following rule > to > trap log messaages where the hostname isn't an IP address or name > > :hostname, regex, "[a-zA-Z\.]" /file > & ~ > *.* /file2;fixformat > > unfortunantly it turns out that this also traps mark messages. > > the %rawmsg% This is a special case where %rawmsg% does not contain everything. Internal messages generate the necessary in-memory structure, but do not try to emulate %rawmsg% in all its glory (but it may be worth thinking about that). HOWEVER, fromhost and fromhost-ip are properly populated. So the filter should work, assuming that the hostname actually matches the regex. I suggest that you use the canned RSYSLOG_DebugFormat template so that we can see what exactly is stored in your in-memory message representation. Rainer > for mark is just "-- MARK --" and apparently hostname is > not > populated (fromhost-ip is 127.0.0.1) > > I do have -x on the rsyslog command line, so it is not doing DNS > resolution, but it should come up with either the local hostname or > 127.0.0.1 as the hostname for locally generated messages. Either one of > these would match my regex as being a 'normal' message > > This box is currently running 5.5.3 > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
