Hi Rainer, ok.
I have 3 different entries in my debug log: --- FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14, syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828 lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6, syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-', msg: ' Kernel logging (proc) stopped.' escaped msg: ' Kernel logging (proc) stopped.' inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.' FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46, syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: '-', TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-', msg: ' signal 15' escaped msg: ' signal 15' inputname: imudp rawmsg: '<46>exiting on signal 15' --- I have now setup a rule: $template DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" if $fromhost == '???' and $fromhost-ip == '???' then ?DYNUNKNOWNmessages I would like to still log the hosts where I know the IP... Is is possible to say something like the following ?: --- $template DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" $template DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" if $fromhost == '???' and $fromhost-ip == '???' and $hostname == '192.168.*' then ?DYNIPmessages if $fromhost == '???' and $fromhost-ip == '???' and $hostname != '192.168.*' then ?DYNUNKNOWNmessages --- Thanks in advance :-) ! ~maymann 2012/2/6 Rainer Gerhards <[email protected]> > Please note that HOSTNAME stems back to the message and as such is a > different property than FROMHOST. It is definitely not the case that when > FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your > current environment. > > rainer > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Michael Maymann > > Sent: Saturday, February 04, 2012 9:10 AM > > To: rsyslog-users > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > > > Hi, > > > > SOLVED... > > > > got it working...:-) ! > > > > I enabled debugging (David: thanks for the hint) and this was one of > > the > > entries: > > --- > > Debug line with all properties: > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14, > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '- > > ', > > MSGID: '-', > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > > 2(VID > > unknown)(769216)' > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > > port > > 2(VID unknown)(769216)' > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID > > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)' > > --- > > The <IP> from the last line was ofcause the same as in the the > > logfiles... > > I confuse this to be a client of a rsyslog-client twice... :-o ! > > > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > > --- > > #SET PRIVILEGES > > $PreserveFQDN on > > $PrivDropToGroup <GROUP> > > $PrivDropToUser <USER> > > $DirCreateMode 0750 > > $FileCreateMode 0640 > > $UMASK 0027 > > > > #LOAD MODULES > > $ModLoad imudp > > $UDPServerRun 514 > > $UDPServerAddress 127.0.0.1 > > $ModLoad imtcp > > $InputTCPServerRun 514 > > > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to > > enable...) > > #*.info;mail.none;authpriv.none;cron.none > > /var/log/messages-debug;RSYSLOG_DebugFormat > > > > #SET DESTINATION FOR LOGS > > $template > > DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > > $template > > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > > $template > > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > > $template > > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > > $template > > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > > $template > > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > > > $template > > DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > > s" > > $template > > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > > $template > > DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > > $template > > DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > > $template > > DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > > $template > > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > > $template > > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > > > #SET LOGGING CONDITIONS > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > > ?DYNsecure > > if $syslogfacility-text == 'mail' and $fromhost != '???' then > > ?DYNmaillog > > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron > > if $syslogseverity-text == 'crit' and $fromhost != '???' then > > ?DYNspooler > > if $syslogfacility-text == 'local7' and $fromhost != '???' then > > ?DYNboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > and $fromhost != '???' then ?DYNtraps > > > > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > > ?DYNIPsecure > > if $syslogfacility-text == 'mail' and $fromhost == '???' then > > ?DYNIPmaillog > > if $syslogfacility-text == 'cron' and $fromhost == '???' then > > ?DYNIPcron > > if $syslogseverity-text == 'crit' and $fromhost == '???' then > > ?DYNIPspooler > > if $syslogfacility-text == 'local7' and $fromhost == '???' then > > ?DYNIPboot > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > 'WARNING' > > and $fromhost == '???' then ?DYNIPtraps > > --- > > > > David+Rainer: thanks for your help... much appreciated...:-) ! > > > > Br. > > ~maymann > > > > 2012/2/4 <[email protected]> > > > > > I was actually meaning for you to do this on the server where you are > > > seeing the ??? show up. > > > > > > but this does show that the sending machine thinks it's doing > > everythig > > > correcty (assuming the <HOSTNAME> you put in the message below is > > actually > > > correct) > > > > > > what I would want to see from the server log is one of the messages > > with > > > the ??? in it that you are trying to fix. > > > > > > > > > David Lang > > > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > > > > > Hi, > > >> > > >> David: thanks for you reply...:-) ! > > >> > > >> This is not a known client causing the "???" entries - I don't know > > the > > >> ip(s)/hostname(s), and this is why i would like to log IP instead of > > >> hostname - as my guess is it is a network device without DNS > > entry...:-( ! > > >> > > >> Can I troubleshoot on the server somehow similar... or was that the > > >> intention all along...:-o ! > > >> > > >> Here is the client-debug output anyways...: > > >> # cat messages-debug > > >> Debug line with all properties: > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > '<HOSTNAME>', > > >> PRI: 6, > > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > > PROCID: > > >> '-', MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > >> > > >> Debug line with all properties: > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > '<HOSTNAME>', > > >> PRI: 46, > > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > 'rsyslogd', > > >> PROCID: '-', MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" > > >> x-info=" > > >> http://www.rsyslog.com";] (re)start' > > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > pid="13432" > > >> x-info="http://www.rsyslog.com**";] (re)start' > > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > pid="13432" > > >> x-info="http://www.rsyslog.com**";] (re)start' > > >> > > >> Debug line with all properties: > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > '<HOSTNAME>', > > >> PRI: 13, > > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '- > > ', > > >> MSGID: '-', > > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > >> msg: ' hej' > > >> escaped msg: ' hej' > > >> rawmsg: '<13>Feb 3 11:14:30 root: hej' > > >> > > >> > > >> Thanks in advance :-) ! > > >> ~maymann > > >> > > >> > > >> 2012/2/3 <[email protected]> > > >> > > >> oops, that should have been RSYSLOG_DebugFormat template. > > >>> > > >>> David Lang > > >>> > > >>> On Thu, 2 Feb 2012, [email protected] wrote: > > >>> > > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > >>> > > >>>> From: [email protected] > > >>>> > > >>>> Reply-To: rsyslog-users <[email protected]> > > >>>> To: rsyslog-users <[email protected]> > > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > %IP% > > >>>> > > >>>> what does one of these messages look like if you write it out with > > the > > >>>> RSYSLOG_DEBUG template? > > >>>> > > >>>> David Lang > > >>>> > > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > > >>>> > > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > >>>> > > >>>>> From: Michael Maymann <[email protected]> > > >>>>> Reply-To: rsyslog-users <[email protected]> > > >>>>> To: rsyslog-users <[email protected]> > > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > > %IP% > > >>>>> > > >>>>> Please... Anyone? > > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <[email protected]> > > wrote: > > >>>>> > > >>>>> Hi, > > >>>>> > > >>>>>> > > >>>>>> got it started... but still ??? dir+logfiles are showing up... > > >>>>>> This is now my rsyslog.conf: > > >>>>>> #SET PRIVILEGES > > >>>>>> $PreserveFQDN on > > >>>>>> $PrivDropToGroup <GROUP> > > >>>>>> $PrivDropToUser <USER> > > >>>>>> $DirCreateMode 0750 > > >>>>>> $FileCreateMode 0640 > > >>>>>> $UMASK 0027 > > >>>>>> > > >>>>>> #LOAD MODULES > > >>>>>> $ModLoad imudp > > >>>>>> $UDPServerRun 514 > > >>>>>> $UDPServerAddress 127.0.0.1 > > >>>>>> $ModLoad imtcp > > >>>>>> $InputTCPServerRun 514 > > >>>>>> > > >>>>>> #SET DESTINATION FOR LOGS > > >>>>>> $template > > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > >>>>>> $MONTH%_messages" > > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > > >>>>>> *secure" > > >>>>>> $template > > >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > >>>>>> _**maillog" > > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>> cron" > > >>>>>> $template > > >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > >>>>>> _**spooler" > > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>> boot.log" > > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > > >>>>>> traps" > > >>>>>> > > >>>>>> $template > > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_messages" > > >>>>>> $template > > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_secure" > > >>>>>> $template > > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_maillog" > > >>>>>> $template > > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_cron" > > >>>>>> $template > > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>> YEAR%.%$MONTH%_spooler" > > >>>>>> $template > > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_boot.log" > > >>>>>> $template > > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>> MONTH%_traps" > > >>>>>> > > >>>>>> #SET LOGGING CONDITIONS > > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > > ?DYNmessages > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > > then > > >>>>>> ?DYNsecure > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then > > >>>>>> ?DYNmaillog > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then > > ?DYNcron > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then > > >>>>>> ?DYNspooler > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then > > >>>>>> ?DYNboot > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>> 'WARNING' > > >>>>>> and $fromhost != '???' then ?DYNtraps > > >>>>>> > > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > > ?DYNIPmessages > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > > then > > >>>>>> ?DYNIPsecure > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then > > >>>>>> ?DYNIPmaillog > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then > > >>>>>> ?DYNIPcron > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then > > >>>>>> ?DYNIPspooler > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then > > >>>>>> ?DYNIPboot > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>> 'WARNING' > > >>>>>> and $fromhost == '???' then ?DYNIPtraps > > >>>>>> > > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but > > all > > >>>>>> creates > > >>>>>> ??? dir+files... > > >>>>>> What variable should I use to handle this properly ? > > >>>>>> > > >>>>>> > > >>>>>> Thanks in advance :-) ! > > >>>>>> ~maymann > > >>>>>> > > >>>>>> 2012/2/2 Michael Maymann <[email protected]> > > >>>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>>> > > >>>>>>> David: thanks for your reply... > > >>>>>>> Here is my new rsyslog.conf: > > >>>>>>> #SET PRIVILEGES > > >>>>>>> $PreserveFQDN on > > >>>>>>> $PrivDropToGroup <GROUP> > > >>>>>>> $PrivDropToUser <USER> > > >>>>>>> $DirCreateMode 0750 > > >>>>>>> $FileCreateMode 0640 > > >>>>>>> $UMASK 0027 > > >>>>>>> > > >>>>>>> #LOAD MODULES > > >>>>>>> $ModLoad imudp > > >>>>>>> $UDPServerRun 514 > > >>>>>>> $UDPServerAddress 127.0.0.1 > > >>>>>>> $ModLoad imtcp > > >>>>>>> $InputTCPServerRun 514 > > >>>>>>> > > >>>>>>> #SET DESTINATION FOR LOGS > > >>>>>>> $template > > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > >>>>>>> $MONTH%_messages" > > >>>>>>> $template > > >>>>>>> > > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>> **secure" > > >>>>>>> > > >>>>>>> $template > > >>>>>>> > > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > >>>>>>> maillog" > > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > >>>>>>> cron" > > >>>>>>> $template > > >>>>>>> > > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > >>>>>>> spooler" > > >>>>>>> $template > > >>>>>>> > > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > > >>>>>>> boot.log" > > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > > >>>>>>> *traps" > > >>>>>>> > > >>>>>>> $template > > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_messages" > > >>>>>>> $template > > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_secure" > > >>>>>>> $template > > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_maillog" > > >>>>>>> $template > > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_cron" > > >>>>>>> $template > > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > >>>>>>> YEAR%.%$MONTH%_spooler" > > >>>>>>> $template > > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_boot.log" > > >>>>>>> $template > > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > IP%_%$YEAR%.%$**** > > >>>>>>> MONTH%_traps" > > >>>>>>> > > >>>>>>> #SET LOGGING CONDITIONS > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > ?DYNmessages > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' > > then > > >>>>>>> ?DYNsecure > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then > > >>>>>>> ?DYNmaillog > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then > > >>>>>>> ?DYNcron > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then > > >>>>>>> ?DYNspooler > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > > then > > >>>>>>> ?DYNboot > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>>> 'WARNING' > > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps > > >>>>>>> > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > ?DYNIPmessages > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' > > then > > >>>>>>> ?DYNIPsecure > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPmaillog > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPcron > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then > > >>>>>>> ?DYNIPspooler > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > > then > > >>>>>>> ?DYNIPboot > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == > > >>>>>>> 'WARNING' > > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > >>>>>>> > > >>>>>>> but it fails...: > > >>>>>>> # service rsyslog start > > >>>>>>> Starting system logger: rsyslogd: run failed with error -2207 > > (see > > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what > > that > > >>>>>>> number > > >>>>>>> means) > > >>>>>>> [ OK > > ] > > >>>>>>> > > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > > correct or > > >>>>>>> how > > >>>>>>> is this done... > > >>>>>>> > > >>>>>>> > > >>>>>>> Thanks in advance :-) ! > > >>>>>>> ~maymann > > >>>>>>> > > >>>>>>> > > >>>>>>> 2012/2/1 <[email protected]> > > >>>>>>> > > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > >>>>>>> > > >>>>>>> > > >>>>>>>> Hi, > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>> I want to log information about hosts that are not logging > > with > > >>>>>>>>> correct > > >>>>>>>>> HOSTNAME. > > >>>>>>>>> In my current setup, I get a dir "???" where these host(s) > > are > > >>>>>>>>> logging > > >>>>>>>>> to... > > >>>>>>>>> > > >>>>>>>>> I would like to change this to the hosts IP instead, > > something > > >>>>>>>>> like: > > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > > value to > > >>>>>>>> a > > >>>>>>>> property. > > >>>>>>>> > > >>>>>>>> what you can do is to setup a different template and then if > > >>>>>>>> %fromhost% > > >>>>>>>> is your special pattern you can log with this different > > template. > > >>>>>>>> > > >>>>>>>> David Lang > > >>>>>>>> ______________________________******_________________ > > >>>>>>>> rsyslog mailing list > > >>>>>>>> > > http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad > > iscon.net/****mailman/listinfo/rsyslog> > > >>>>>>>> > > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a > > discon.net/**mailman/listinfo/rsyslog> > > >>>>>>>> > > > >>>>>>>> > > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a > > discon.net/mailman/**listinfo/rsyslog> > > >>>>>>>> > > <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > scon.net/mailman/listinfo/rsyslog> > > >>>>>>>> > > > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> http://www.rsyslog.com/******professional- > > services/<http://www.rsyslog.com/****professional-services/> > > >>>>>>>> <http://**www.rsyslog.com/****professional- > > services/<http://www.rsyslog.com/**professional-services/> > > >>>>>>>> > > > >>>>>>>> <http://**www.rsyslog.com/**professional- > > **services/<http://www.rsyslog.com/professional-**services/> > > >>>>>>>> <http:**//www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >>>>>>>> > > > >>>>>>>> > > >>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>>> ______________________________****_________________ > > >>>>>> > > >>>>> rsyslog mailing list > > >>>>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > con.net/**mailman/listinfo/rsyslog> > > >>>>> > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > scon.net/mailman/listinfo/rsyslog> > > >>>>> > > > >>>>> http://www.rsyslog.com/****professional- > > services/<http://www.rsyslog.com/**professional-services/> > > >>>>> <http://**www.rsyslog.com/professional- > > **services/<http://www.rsyslog.com/professional-services/> > > >>>>> > > > >>>>> > > >>>>> ______________________________****_________________ > > >>>>> > > >>>> rsyslog mailing list > > >>>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > con.net/**mailman/listinfo/rsyslog> > > >>>> > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > scon.net/mailman/listinfo/rsyslog> > > >>>> > > > >>>> http://www.rsyslog.com/****professional- > > services/<http://www.rsyslog.com/**professional-services/> > > >>>> <http://**www.rsyslog.com/professional- > > **services/<http://www.rsyslog.com/professional-services/> > > >>>> > > > >>>> > > >>>> ______________________________****_________________ > > >>>> > > >>> rsyslog mailing list > > >>> > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > con.net/**mailman/listinfo/rsyslog> > > >>> > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > scon.net/mailman/listinfo/rsyslog> > > >>> > > > >>> http://www.rsyslog.com/****professional- > > services/<http://www.rsyslog.com/**professional-services/> > > >>> <http://**www.rsyslog.com/professional- > > **services/<http://www.rsyslog.com/professional-services/> > > >>> > > > >>> > > >>> ______________________________**_________________ > > >> rsyslog mailing list > > >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > >> http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > >> > > >> ______________________________**_________________ > > > rsyslog mailing list > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > n.net/mailman/listinfo/rsyslog> > > > http://www.rsyslog.com/**professional- > > services/<http://www.rsyslog.com/professional-services/> > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
