Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Sat, 04 Feb 2012 00:27:26 -0800

If Rainer creates the instramented version it would still be good to see what's going on. I would say that for fromhost-ip to be '???' is always a bug, and if a failed DNS lookup makes the fromhost be '???' instead of the IP address, I would also consider that a bug. 

It would be good to track down what's actually happening here.

David Lang
On Sat, 4 Feb 2012, Michael Maymann wrote: 


Hi,

SOLVED...

got it working...:-) !

I enabled debugging (David: thanks for the hint) and this was one of the
entries:
---
Debug line with all properties:
FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb  4 07:29:40', STRUCTURED-DATA: '-',
msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port 2(VID
unknown)(769216)'
escaped msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port
2(VID unknown)(769216)'
inputname: imudp rawmsg: '<14> Feb  4 07:29:40 <IP> 00828 lldp:  PVID
mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
---
The <IP> from the last line was ofcause the same as in the the logfiles...
I confuse this to be a client of a rsyslog-client twice... :-o !

I could hereafter easily edit my /etc/rsyslog.conf respectively:
---
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
enable...)
#*.info;mail.none;authpriv.none;cron.none
/var/log/messages-debug;RSYSLOG_DebugFormat

#SET DESTINATION FOR LOGS
$template
DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template
DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template
DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
$template DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost == '???' then ?DYNIPtraps
---

David+Rainer: thanks for your help... much appreciated...:-) !

Br.
~maymann

2012/2/4 <[email protected]>


I was actually meaning for you to do this on the server where you are
seeing the ??? show up.

but this does show that the sending machine thinks it's doing everythig
correcty (assuming the <HOSTNAME> you put in the message below is actually
correct)

what I would want to see from the server log is one of the messages with
the ??? in it that you are trying to fix.


David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

 Hi,


David: thanks for you reply...:-) !

This is not a known client causing the "???" entries - I don't know the
ip(s)/hostname(s), and this is why i would like to log IP instead of
hostname - as my guess is it is a network device without DNS entry...:-( !

Can I troubleshoot on the server somehow similar... or was that the
intention all along...:-o !

Here is the client-debug output anyways...:
# cat messages-debug
Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="
http://www.rsyslog.com";] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com**";] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com**";] (re)start'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 13,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
msg: ' hej'
escaped msg: ' hej'
rawmsg: '<13>Feb  3 11:14:30 root: hej'


Thanks in advance :-) !
~maymann


2012/2/3 <[email protected]>

 oops, that should have been RSYSLOG_DebugFormat template.


David Lang

On Thu, 2 Feb 2012, [email protected] wrote:

 Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)


From: [email protected]

Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

what does one of these messages look like if you write it out with the
RSYSLOG_DEBUG template?

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

 Date: Fri, 3 Feb 2012 07:00:26 +0100


From: Michael Maymann <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <[email protected]> wrote:

 Hi,



got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/**
**%FROMHOST%_%$YEAR%.%$MONTH%_***
*secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
_**maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
_**spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**
**FROMHOST%_%$YEAR%.%$MONTH%_****
traps"

$template
DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then
?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then
?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but all
creates
??? dir+files...
What variable should I use to handle this properly ?


Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <[email protected]>

 Hi,



David: thanks for your reply...
Here is my new rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
$MONTH%_messages"
$template
DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
**secure"

$template
DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%***
*FROMHOST%_%$YEAR%.%$MONTH%_**
cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
spooler"
$template
DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%**
**FROMHOST%_%$YEAR%.%$MONTH%_*
*traps"

$template
DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
?DYNmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
?DYNcron
if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
?DYNspooler
if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and %FROMHOST% != '???' then ?DYNtraps

if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
?DYNIPcron
if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text ==
'WARNING'
and %FROMHOST% == '???' then ?DYNIPtraps

but it fails...:
# service rsyslog start
Starting system logger: rsyslogd: run failed with error -2207 (see
rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
number
means)
                                                         [  OK  ]

my guess is it is my %FROMHOST% == '???' - is this format correct or
how
is this done...


Thanks in advance :-) !
~maymann


2012/2/1 <[email protected]>

On Wed, 1 Feb 2012, Michael Maymann wrote:



 Hi,



I want to log information about hosts that are not logging with
correct
HOSTNAME.
In my current setup, I get a dir "???" where these host(s) are
logging
to...

I would like to change this to the hosts IP instead, something
like:
if %FROMHOST% == '???' then %FROMHOST% == %IP


 rsyslog cannot do what you are asking. It can't assign a value to

a
property.

what you can do is to setup a different template and then if
%fromhost%
is your special pattern you can log with this different template.

David Lang
______________________________******_________________
rsyslog mailing list
http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
<http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>



<http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
<htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>






 
http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>

<http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>



<http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
<http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>












  ______________________________****_________________



rsyslog mailing list
http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>



http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
<http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>




 ______________________________****_________________


rsyslog mailing list
http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>



http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
<http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>




 ______________________________****_________________


rsyslog mailing list
http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
<http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>



http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
<http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>




 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>

 ______________________________**_________________

rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

Reply via email to