Thanks mate. You mean my match pattern may be wrong or bad rules? Eric
On Wed, Mar 2, 2011 at 9:21 AM, <[email protected]> wrote: > rsyslog is very flexible, but it seems like you are testing one thing and > then complaining because of something else. > > if you test to see if the source is localhost (or server) why don't you use > source in your DynaFile definition? if you did, I would be _very_ surprised > if you had any files named -server show up. > > but you are testing the source and then setting your filename by hostname, > the fact that you are getting files named -server indicates that you have > some logs that are showing up where the source is not 'localhost' or > 'server' but that hostname _is_ 'server'. > > we could go down the path of looking at individual log entries to figure out > why this is the case and then tailoring the rules to fix those cases, but it > seems to me that the problem is at a higher level. It seems like it's > probably a mistake to test for source and then log by hostname, but you may > have a reason to do so. I've already missed an obvious thing in this thread > (i.e. that the central machine is named 'server'), so I'm trying not to > assume that you are doing this wrong, but instead am asking why you are > doing this. > > > If you want to start down the path of why the logs are showing up in > -server.log instead of falling through, then you need to change the logging > format to include %source% somewhere so that we can see what the source is > of the logs that you are seeing as being misfiled. > > > It seems like what you probably want to do is to change the test to test for > $hostname instead of $source to keep the logs from 'server' from going to > the destination of the first rule. > > then the second rule will throw away any logs matched by the first rule > > then the remainder of the rules will be applied to what's left. > > David Lang > > > > On Wed, 2 Mar 2011, Lee Eric wrote: > >> Hey mate, >> >> Because I still wanna use the host "server" default logs location >> /var/log/messages. I'm just thinking if the syntax of rsyslog is >> complex that should indicate it is flexible. But I didn't notice that. >> Do you have any good idea? >> >> Thanks. >> >> Eric >> >> On Wed, Mar 2, 2011 at 8:07 AM, <[email protected]> wrote: >>> >>> sorry, I hadn't had time to look at this since my last e-mail >>> >>> the test is for source, but then the file is named from hostname, why the >>> difference? wouldn't you want to have the test match what you are using >>> in >>> the filename? >>> >>> David Lang >>> >>> On Tue, 1 Mar 2011, Lee Eric wrote: >>> >>>> Date: Tue, 1 Mar 2011 22:22:11 +0800 >>>> From: Lee Eric <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: rsyslog-users <[email protected]> >>>> Subject: Re: [rsyslog] Help: Separate Logs Order >>>> >>>> Any update? >>>> >>>> Eric >>>> >>>> On Tue, Mar 1, 2011 at 11:43 AM, Lee Eric <[email protected]> >>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> No syntax error but still not working. system-server.log still >>>>> created, other hosts logs write to the host "server" /var/log/messages >>>>> and /var/log/system-hostname.log at the same time. >>>>> >>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log" >>>>> if ($source != 'localhost' or $source != 'server') then ?DynFile >>>>> >>>>> Regards, >>>>> >>>>> Eric >>>>> >>>>> On Tue, Mar 1, 2011 at 11:15 AM, <[email protected]> wrote: >>>>>> >>>>>> I figured my syntax was not quite right. I didn't take the time to >>>>>> look >>>>>> it >>>>>> up exactly. >>>>>> >>>>>> Ok, looking things up >>>>>> >>>>>> if ($source != 'localhost' and $source != 'server') then ?DynFile >>>>>> >>>>>> how does this work. >>>>>> >>>>>> David Lang >>>>>> >>>>>> On Tue, 1 Mar 2011, Lee Eric wrote: >>>>>> >>>>>>> Date: Tue, 1 Mar 2011 10:26:13 +0800 >>>>>>> From: Lee Eric <[email protected]> >>>>>>> Reply-To: rsyslog-users <[email protected]> >>>>>>> To: rsyslog-users <[email protected]> >>>>>>> Subject: Re: [rsyslog] Help: Separate Logs Order >>>>>>> >>>>>>> Hi mate, >>>>>>> >>>>>>> I use your conf but I encounter more serious problem: >>>>>>> >>>>>>> Feb 28 21:22:11 server rsyslogd-2051: syntax error in expression [try >>>>>>> http://www.rsyslog.com/e/2051 ] >>>>>>> Feb 28 21:22:11 server rsyslogd: the last error occured in >>>>>>> /etc/rsyslog.conf, line 34:"if (%source != 'localhost' or %source != >>>>>>> 'server') then ?DynFile" >>>>>>> Feb 28 21:22:11 server rsyslogd: warning: selector line without >>>>>>> actions will be discarded >>>>>>> Feb 28 21:22:11 server rsyslogd-2124: CONFIG ERROR: could not >>>>>>> interpret master config file '/etc/rsyslog.conf'. [try >>>>>>> http://www.rsyslog.com/e/2124 ] >>>>>>> >>>>>>> And /var/log/system-server.log won't create but all other machines >>>>>>> logs will write to /var/log/messages in the host "server", not the >>>>>>> separated logs. >>>>>>> >>>>>>> Do you have any idea to fix that? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Eric >>>>>>> >>>>>>> On Tue, Mar 1, 2011 at 9:49 AM, <[email protected]> wrote: >>>>>>>> >>>>>>>> On Tue, 1 Mar 2011, Lee Eric wrote: >>>>>>>> >>>>>>>>> Sorry, mate. As you mentioned the log file >>>>>>>>> /var/log/system-server.log >>>>>>>>> will be created in the host "server" and throw away its other logs. >>>>>>>>> But what I want is the logs in the host "server" will write to its >>>>>>>>> original places in /var/log/messages etc., not recreated a >>>>>>>>> system-server.log to record logs. >>>>>>>>> >>>>>>>>> By now, all host "server" logs will write to >>>>>>>>> /var/log/system-server.log and other original logging places are >>>>>>>>> not >>>>>>>>> written by using my rules. So I hope there will be a way to fix >>>>>>>>> that. >>>>>>>>> The host "server" is rsyslog server. >>>>>>>> >>>>>>>> Ok, that's what I missed. >>>>>>>> >>>>>>>> you need to change your test to be something like the following >>>>>>>> (probably >>>>>>>> slightly incorrect) test >>>>>>>> >>>>>>>> if (%source != 'localhost' or %source != 'server') then ?DynFile >>>>>>>> >>>>>>>> and if you want it in the file system-server.log as well, add an >>>>>>>> entry >>>>>>>> below >>>>>>>> that that does >>>>>>>> >>>>>>>> *.* /var/log/system-server.log >>>>>>>> >>>>>>>> David Lang >>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Eric >>>>>>>>> >>>>>>>>> On Tue, Mar 1, 2011 at 5:38 AM, <[email protected]> wrote: >>>>>>>>>> >>>>>>>>>> On Mon, 28 Feb 2011, Lee Eric wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I have a question about separate logs order configuration. I have >>>>>>>>>>> 4 >>>>>>>>>>> machines with hostnames server, storage, client1 and client2. The >>>>>>>>>>> rsyslogs is running at server. The configuration looks like that: >>>>>>>>>>> >>>>>>>>>>> $ModLoad imuxsock.so # provides support for local system >>>>>>>>>>> logging >>>>>>>>>>> (e.g. >>>>>>>>>>> via logger command) >>>>>>>>>>> $ModLoad imklog.so # provides kernel logging support >>>>>>>>>>> (previously >>>>>>>>>>> done >>>>>>>>>>> by rklogd) >>>>>>>>>>> $ModLoad imtcp.so >>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>>>>>> $template DynFile,"/var/log/system-%HOSTNAME%.log" >>>>>>>>>>> :source , !isequal , "localhost" ?DynFile >>>>>>>>>>> & ~ >>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none >>>>>>>>>>> /var/log/messages >>>>>>>>>>> authpriv.* >>>>>>>>>>> /var/log/secure >>>>>>>>>>> mail.* >>>>>>>>>>> -/var/log/maillog >>>>>>>>>>> cron.* >>>>>>>>>>> /var/log/cron >>>>>>>>>>> *.emerg * >>>>>>>>>>> uucp,news.crit >>>>>>>>>>> /var/log/spooler >>>>>>>>>>> local7.* >>>>>>>>>>> /var/log/boot.log >>>>>>>>>>> >>>>>>>>>>> And in other machines the configuration looks like this: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> $ModLoad imuxsock.so # provides support for local system >>>>>>>>>>> logging >>>>>>>>>>> (e.g. >>>>>>>>>>> via logger command) >>>>>>>>>>> $ModLoad imklog.so # provides kernel logging support >>>>>>>>>>> (previously >>>>>>>>>>> done >>>>>>>>>>> by rklogd) >>>>>>>>>>> $ModLoad imtcp.so >>>>>>>>>>> $InputTCPServerRun 514 >>>>>>>>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>>>>>>>>>> *.* @@server.herdingcat.internal >>>>>>>>>>> *.info;mail.none;authpriv.none;cron.none >>>>>>>>>>> /var/log/messages >>>>>>>>>>> authpriv.* >>>>>>>>>>> /var/log/secure >>>>>>>>>>> mail.* >>>>>>>>>>> -/var/log/maillog >>>>>>>>>>> cron.* >>>>>>>>>>> /var/log/cron >>>>>>>>>>> *.emerg * >>>>>>>>>>> uucp,news.crit >>>>>>>>>>> /var/log/spooler >>>>>>>>>>> local7.* >>>>>>>>>>> /var/log/boot.log >>>>>>>>>>> >>>>>>>>>>> /var/log/system-storage.log, /var/log/system-client1.log, >>>>>>>>>>> /var/log/system-client2.log created successfully and it works >>>>>>>>>>> well >>>>>>>>>>> but >>>>>>>>>>> there's also a log file /var/log/system-server.log created. I >>>>>>>>>>> hope >>>>>>>>>>> server's log is still recorded under /var/log/messages not >>>>>>>>>>> separated. >>>>>>>>>>> So I'm wondering is there any good method to achieve that >>>>>>>>>>> function? >>>>>>>>>> >>>>>>>>>> I don't really understand your question here. >>>>>>>>>> >>>>>>>>>> the second configuration doesn't seem to have any dynafile lines, >>>>>>>>>> so >>>>>>>>>> it >>>>>>>>>> sounds like you are asking about the first one. >>>>>>>>>> >>>>>>>>>> In the first one you are saying that for any server other than >>>>>>>>>> localhost, >>>>>>>>>> put the logs in a file /var/log/system-name.log and then throw >>>>>>>>>> them >>>>>>>>>> away >>>>>>>>>> (don't put them in any other logfile) >>>>>>>>>> >>>>>>>>>> so if you get a log entry from a machine called 'server' it would >>>>>>>>>> create >>>>>>>>>> the >>>>>>>>>> fiel /var/log/system-server.log and then throw away the log. >>>>>>>>>> >>>>>>>>>> could you please try restating your what you think is being done >>>>>>>>>> differently >>>>>>>>>> from what you are wanting? >>>>>>>>>> >>>>>>>>>> David Lang4 >>>>>>>>>> _______________________________________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>>> http://www.rsyslog.com >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>> http://www.rsyslog.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com >>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
