Re: [rsyslog] Help: Separate Logs Order

[david]

rsyslog is very flexible, but it seems like you are testing one thing and 
then complaining because of something else.

if you test to see if the source is localhost (or server) why don't you 
use source in your DynaFile definition? if you did, I would be _very_ 
surprised if you had any files named -server show up.

but you are testing the source and then setting your filename by hostname, 
the fact that you are getting files named -server indicates that you have 
some logs that are showing up where the source is not 'localhost' or 
'server' but that hostname _is_ 'server'.

we could go down the path of looking at individual log entries to figure 
out why this is the case and then tailoring the rules to fix those cases, 
but it seems to me that the problem is at a higher level. It seems like 
it's probably a mistake to test for source and then log by hostname, but 
you may have a reason to do so. I've already missed an obvious thing in 
this thread (i.e. that the central machine is named 'server'), so I'm 
trying not to assume that you are doing this wrong, but instead am asking 
why you are doing this.


If you want to start down the path of why the logs are showing up in 
-server.log instead of falling through, then you need to change the 
logging format to include %source% somewhere so that we can see what the 
source is of the logs that you are seeing as being misfiled.


It seems like what you probably want to do is to change the test to test 
for $hostname instead of $source to keep the logs from 'server' from going 
to the destination of the first rule.

then the second rule will throw away any logs matched by the first rule

then the remainder of the rules will be applied to what's left.

David Lang



 On Wed, 2 Mar 2011, Lee Eric wrote:

Hey mate,

Because I still wanna use the host "server" default logs location
/var/log/messages. I'm just thinking if the syntax of rsyslog is
complex that should indicate it is flexible. But I didn't notice that.
Do you have any good idea?

Thanks.

Eric

On Wed, Mar 2, 2011 at 8:07 AM,  <da...@lang.hm> wrote:
sorry, I hadn't had time to look at this since my last e-mail

the test is for source, but then the file is named from hostname, why the
difference? wouldn't you want to have the test match what you are using in
the filename?

David Lang

On Tue, 1 Mar 2011, Lee Eric wrote:

Date: Tue, 1 Mar 2011 22:22:11 +0800
From: Lee Eric <openlinuxsou...@gmail.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Help: Separate Logs Order

Any update?

Eric

On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <openlinuxsou...@gmail.com>
wrote:

Hi,

No syntax error but still not working. system-server.log still
created, other hosts logs write to the host "server" /var/log/messages
and /var/log/system-hostname.log at the same time.

$template DynFile,"/var/log/system-%HOSTNAME%.log"
if ($source != 'localhost' or $source != 'server') then ?DynFile

Regards,

Eric

On Tue, Mar 1, 2011 at 11:15 AM,  <da...@lang.hm> wrote:

I figured my syntax was not quite right. I didn't take the time to look
it
up exactly.

Ok, looking things up

if ($source != 'localhost' and $source != 'server') then ?DynFile

how does this work.

David Lang

On Tue, 1 Mar 2011, Lee Eric wrote:

Date: Tue, 1 Mar 2011 10:26:13 +0800
From: Lee Eric <openlinuxsou...@gmail.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Help: Separate Logs Order

Hi mate,

I use your conf but I encounter more serious problem:

Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try
http://www.rsyslog.com/e/2051 ]
Feb 28 21:22:11 server rsyslogd: the last error occured in
/etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source !=
'server') then ?DynFile"
Feb 28 21:22:11 server rsyslogd: warning: selector line without
actions will be discarded
Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not
interpret master config file '/etc/rsyslog.conf'. [try
http://www.rsyslog.com/e/2124 ]

And /var/log/system-server.log won't create but all other machines
logs will write to /var/log/messages in the host "server", not the
separated logs.

Do you have any idea to fix that?

Regards,

Eric

On Tue, Mar 1, 2011 at 9:49 AM,  <da...@lang.hm> wrote:

On Tue, 1 Mar 2011, Lee Eric wrote:

Sorry, mate. As you mentioned the log file /var/log/system-server.log
will be created in the host "server" and throw away its other logs.
But what I want is the logs in the host "server" will write to its
original places in /var/log/messages etc., not recreated a
system-server.log to record logs.

By now, all host "server" logs will write to
/var/log/system-server.log and other original logging places are not
written by using my rules. So I hope there will be a way to fix that.
The host "server" is rsyslog server.

Ok, that's what I missed.

you need to change your test to be something like the following
(probably
slightly incorrect) test

if (%source != 'localhost' or %source != 'server') then ?DynFile

and if you want it in the file system-server.log as well, add an entry
below
that that does

*.* /var/log/system-server.log

David Lang

Thanks,

Eric

On Tue, Mar 1, 2011 at 5:38 AM,  <da...@lang.hm> wrote:

On Mon, 28 Feb 2011, Lee Eric wrote:

Hi,

I have a question about separate logs order configuration. I have 4
machines with hostnames server, storage, client1 and client2. The
rsyslogs is running at server. The configuration looks like that:

$ModLoad imuxsock.so    # provides support for local system logging
(e.g.
via logger command)
$ModLoad imklog.so      # provides kernel logging support
(previously
done
by rklogd)
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template DynFile,"/var/log/system-%HOSTNAME%.log"
:source , !isequal , "localhost" ?DynFile
& ~
*.info;mail.none;authpriv.none;cron.none
 /var/log/messages
authpriv.*
 /var/log/secure
mail.*
 -/var/log/maillog
cron.*
 /var/log/cron
*.emerg                                                 *
uucp,news.crit
 /var/log/spooler
local7.*
 /var/log/boot.log

And in other machines the configuration looks like this:


$ModLoad imuxsock.so    # provides support for local system logging
(e.g.
via logger command)
$ModLoad imklog.so      # provides kernel logging support
(previously
done
by rklogd)
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.*     @@server.herdingcat.internal
*.info;mail.none;authpriv.none;cron.none
 /var/log/messages
authpriv.*
 /var/log/secure
mail.*
 -/var/log/maillog
cron.*
 /var/log/cron
*.emerg                                                 *
uucp,news.crit
 /var/log/spooler
local7.*
 /var/log/boot.log

/var/log/system-storage.log, /var/log/system-client1.log,
/var/log/system-client2.log created successfully and it works well
but
there's also a log file /var/log/system-server.log created. I hope
server's log is still recorded under /var/log/messages not
separated.
So I'm wondering is there any good method to achieve that function?

I don't really understand your question here.

the second configuration doesn't seem to have any dynafile lines, so
it
sounds like you are asking about the first one.

In the first one you are saying that for any server other than
localhost,
put the logs in a file /var/log/system-name.log and then throw them
away
(don't put them in any other logfile)

so if you get a log entry from a machine called 'server' it would
create
the
fiel /var/log/system-server.log and then throw away the log.

could you please try restating your what you think is being done
differently
from what you are wanting?

David Lang4
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com