I'm trying to apply the RSYSLOG_TraditionalFileFormat as the default
template using the $ActionFileDefaultTemplate directive in v6.1.3. It
doesn't appear to work. I get RSYSLOG_FileFormat style logs that show
up in all of my log files like this:fwp
2011-02-07T12:08:05-05:00 fwp %ASA-6-302013: Built outbound TCP
connection 1285581751 for outside:x.x.x.x/80 (24.143.204.155/80) to
res:x.x.x/58084 (x.x.x.x/58084)
I have the default template and file where this is being logged
configured like this:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
if ($fromhost == 'fwp') then /var/log/firewall/firewall-fwp.log
& ~
Starting rsyslog with the -d debug option I can see it looks like
looks like it isn't using the correct default format that I set in the
config file:
8982.054735362:b7f886c0: cfline: '$ActionFileDefaultTemplate
RSYSLOG_TraditionalFileFormat'
.
.
8982.055999738:b7f886c0: module is incompatible with
RepeatedMsgReduction - turned off
8982.056005382:b7f886c0: cfline: 'if ($fromhost == 'fwp') then
/var/log/firewall/firewall-fwp.log'
8982.056009113:b7f886c0: selector line successfully processed
8982.056012836:b7f886c0: - general expression-based filter
8982.056017374:b7f886c0: skipped whitespace, stream now '($fromhost ==
'fwp') then /var/log/firewall/firewall-fwp.log'
8982.056024231:b7f886c0: ctok_token 0x9e94eb0: token: 10
8982.056133884:b7f886c0: expr 0x9e94030: successfully parsed/created expression
8982.056148358:b7f886c0: file stream firewall-fwp.log params: flush
interval 0, async write 0
8982.056153077:b7f886c0: tried selector action for builtin-file: 0
8982.056156714:b7f886c0: Module builtin-file processed this config line.
8982.056161564:b7f886c0: template: 'RSYSLOG_FileFormat' assigned
But if I change the individual rule and specifically tell it to use
the RSYSLOG_TraditionalFileFormat it works fine:
if ($fromhost == 'fwp') then
/var/log/firewall/firewall-fwp.log;RSYSLOG_TraditionalFileFormat
& ~
0992.733655388:b7f046c0: module is incompatible with
RepeatedMsgReduction - turned off
0992.733660566:b7f046c0: cfline: 'if ($fromhost == 'fwp') then
/var/log/firewall/firewall-fwp.log;RSYSLOG_TraditionalFileFormat'
0992.733664380:b7f046c0: selector line successfully processed
0992.733667985:b7f046c0: - general expression-based filter
0992.733672523:b7f046c0: skipped whitespace, stream now '($fromhost ==
'fwp') then
/var/log/firewall/firewall-fwp.log;RSYSLOG_TraditionalFileFormat'
0992.733676941:b7f046c0: ctok_token 0x8e24ed8: token: 10
0992.733799831:b7f046c0: tried selector action for builtin-file: 0
0992.733803366:b7f046c0: Module builtin-file processed this config line.
0992.733808082:b7f046c0: template: 'RSYSLOG_TraditionalFileFormat' assigned
I stripped my config file so basically all it is doing is logging the
host to the /var/log/firewall/firewall-fwp.log file for testing and I
still get the same results. Any ideas?
$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
if ($fromhost == 'fwp') then
/var/log/firewall/firewall-fwp.log;RSYSLOG_Traditional
&~
--greg
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
