Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

david Fri, 03 Feb 2012 19:39:28 -0800

I was actually meaning for you to do this on the server where you areseeing the ??? show up.

but this does show that the sending machine thinks it's doing everythigcorrecty (assuming the <HOSTNAME> you put in the message below is actuallycorrect)

what I would want to see from the server log is one of the messages withthe ??? in it that you are trying to fix.


David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

Hi,

David: thanks for you reply...:-) !

This is not a known client causing the "???" entries - I don't know the
ip(s)/hostname(s), and this is why i would like to log IP instead of
hostname - as my guess is it is a network device without DNS entry...:-( !

Can I troubleshoot on the server somehow similar... or was that the
intention all along...:-o !

Here is the client-debug output anyways...:
# cat messages-debug
Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="
http://www.rsyslog.com";] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com";] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com";] (re)start'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 13,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
msg: ' hej'
escaped msg: ' hej'
rawmsg: '<13>Feb  3 11:14:30 root: hej'


Thanks in advance :-) !
~maymann


2012/2/3 <[email protected]>

oops, that should have been RSYSLOG_DebugFormat template.

David Lang

On Thu, 2 Feb 2012, [email protected] wrote:

 Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)

From: [email protected]

Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

what does one of these messages look like if you write it out with the
RSYSLOG_DEBUG template?

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

 Date: Fri, 3 Feb 2012 07:00:26 +0100

From: Michael Maymann <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <[email protected]> wrote:

 Hi,


got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_*
*secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
traps"

$template
DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but all
creates
??? dir+files...
What variable should I use to handle this properly ?


Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <[email protected]>

 Hi,


David: thanks for your reply...
Here is my new rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
$MONTH%_messages"
$template
DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
spooler"
$template
DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_*
*traps"

$template
DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and %FROMHOST% != '???' then ?DYNtraps

if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
?DYNIPcron
if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and %FROMHOST% == '???' then ?DYNIPtraps

but it fails...:
# service rsyslog start
Starting system logger: rsyslogd: run failed with error -2207 (see
rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
number
means)
                                                          [  OK  ]

my guess is it is my %FROMHOST% == '???' - is this format correct or
how
is this done...


Thanks in advance :-) !
~maymann


2012/2/1 <[email protected]>

On Wed, 1 Feb 2012, Michael Maymann wrote:

Hi,


I want to log information about hosts that are not logging with
correct
HOSTNAME.
In my current setup, I get a dir "???" where these host(s) are
logging
to...

I would like to change this to the hosts IP instead, something like:
if %FROMHOST% == '???' then %FROMHOST% == %IP

rsyslog cannot do what you are asking. It can't assign a value to a
property.

what you can do is to setup a different template and then if
%fromhost%
is your special pattern you can log with this different template.

David Lang
______________________________****_________________
rsyslog mailing list
http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>

http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
<http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>

 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>

 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>

 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Reply via email to