Let's see where the problem stems back to, *then* we can look for a solution.
rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Michael Maymann > Sent: Monday, February 06, 2012 2:14 PM > To: rsyslog-users > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP% > > Hi Rainer, > > ok. > > I have 3 different entries in my debug log: > --- > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14, > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '- > ', > MSGID: '-', > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > 2(VID > unknown)(769216)' > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device > port > 2(VID unknown)(769216)' > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828 > lldp: > PVID mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6, > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: > '-', MSGID: '-', > TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-', > msg: ' Kernel logging (proc) stopped.' > escaped msg: ' Kernel logging (proc) stopped.' > inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.' > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46, > syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: > '-', > TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-', > msg: ' signal 15' > escaped msg: ' signal 15' > inputname: imudp rawmsg: '<46>exiting on signal 15' > --- > > I have now setup a rule: > $template > DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" > if $fromhost == '???' and $fromhost-ip == '???' then > ?DYNUNKNOWNmessages > > > I would like to still log the hosts where I know the IP... > Is is possible to say something like the following ?: > --- > $template > DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages" > $template > DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages" > > if $fromhost == '???' and $fromhost-ip == '???' and $hostname == > '192.168.*' then ?DYNIPmessages > if $fromhost == '???' and $fromhost-ip == '???' and $hostname != > '192.168.*' then ?DYNUNKNOWNmessages > --- > > Thanks in advance :-) ! > ~maymann > > > 2012/2/6 Rainer Gerhards <[email protected]> > > > Please note that HOSTNAME stems back to the message and as such is a > > different property than FROMHOST. It is definitely not the case that > when > > FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence > in your > > current environment. > > > > rainer > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Michael Maymann > > > Sent: Saturday, February 04, 2012 9:10 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == > %IP% > > > > > > Hi, > > > > > > SOLVED... > > > > > > got it working...:-) ! > > > > > > I enabled debugging (David: thanks for the hint) and this was one > of > > > the > > > entries: > > > --- > > > Debug line with all properties: > > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14, > > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: > '- > > > ', > > > MSGID: '-', > > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-', > > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port > > > 2(VID > > > unknown)(769216)' > > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer > device > > > port > > > 2(VID unknown)(769216)' > > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: > PVID > > > mismatch on port C2(VID 1)with peer device port 2(VID > unknown)(769216)' > > > --- > > > The <IP> from the last line was ofcause the same as in the the > > > logfiles... > > > I confuse this to be a client of a rsyslog-client twice... :-o ! > > > > > > I could hereafter easily edit my /etc/rsyslog.conf respectively: > > > --- > > > #SET PRIVILEGES > > > $PreserveFQDN on > > > $PrivDropToGroup <GROUP> > > > $PrivDropToUser <USER> > > > $DirCreateMode 0750 > > > $FileCreateMode 0640 > > > $UMASK 0027 > > > > > > #LOAD MODULES > > > $ModLoad imudp > > > $UDPServerRun 514 > > > $UDPServerAddress 127.0.0.1 > > > $ModLoad imtcp > > > $InputTCPServerRun 514 > > > > > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment- > in to > > > enable...) > > > #*.info;mail.none;authpriv.none;cron.none > > > /var/log/messages-debug;RSYSLOG_DebugFormat > > > > > > #SET DESTINATION FOR LOGS > > > $template > > > > DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages" > > > $template > > > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure" > > > $template > > > > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog" > > > $template > > > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron" > > > $template > > > > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler" > > > $template > > > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log" > > > $template > > > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps" > > > > > > $template > > > > DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message > > > s" > > > $template > > > > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure" > > > $template > > > > DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog" > > > $template > > > DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron" > > > $template > > > > DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler" > > > $template > > > > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log" > > > $template > > > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps" > > > > > > #SET LOGGING CONDITIONS > > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages > > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then > > > ?DYNsecure > > > if $syslogfacility-text == 'mail' and $fromhost != '???' then > > > ?DYNmaillog > > > if $syslogfacility-text == 'cron' and $fromhost != '???' then > ?DYNcron > > > if $syslogseverity-text == 'crit' and $fromhost != '???' then > > > ?DYNspooler > > > if $syslogfacility-text == 'local7' and $fromhost != '???' then > > > ?DYNboot > > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > 'WARNING' > > > and $fromhost != '???' then ?DYNtraps > > > > > > if $syslogseverity <= '6' and $fromhost == '???' then > ?DYNIPmessages > > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then > > > ?DYNIPsecure > > > if $syslogfacility-text == 'mail' and $fromhost == '???' then > > > ?DYNIPmaillog > > > if $syslogfacility-text == 'cron' and $fromhost == '???' then > > > ?DYNIPcron > > > if $syslogseverity-text == 'crit' and $fromhost == '???' then > > > ?DYNIPspooler > > > if $syslogfacility-text == 'local7' and $fromhost == '???' then > > > ?DYNIPboot > > > if $syslogfacility-text == 'local6' and $syslogseverity-text == > > > 'WARNING' > > > and $fromhost == '???' then ?DYNIPtraps > > > --- > > > > > > David+Rainer: thanks for your help... much appreciated...:-) ! > > > > > > Br. > > > ~maymann > > > > > > 2012/2/4 <[email protected]> > > > > > > > I was actually meaning for you to do this on the server where you > are > > > > seeing the ??? show up. > > > > > > > > but this does show that the sending machine thinks it's doing > > > everythig > > > > correcty (assuming the <HOSTNAME> you put in the message below is > > > actually > > > > correct) > > > > > > > > what I would want to see from the server log is one of the > messages > > > with > > > > the ??? in it that you are trying to fix. > > > > > > > > > > > > David Lang > > > > > > > > On Fri, 3 Feb 2012, Michael Maymann wrote: > > > > > > > > Hi, > > > >> > > > >> David: thanks for you reply...:-) ! > > > >> > > > >> This is not a known client causing the "???" entries - I don't > know > > > the > > > >> ip(s)/hostname(s), and this is why i would like to log IP > instead of > > > >> hostname - as my guess is it is a network device without DNS > > > entry...:-( ! > > > >> > > > >> Can I troubleshoot on the server somehow similar... or was that > the > > > >> intention all along...:-o ! > > > >> > > > >> Here is the client-debug output anyways...: > > > >> # cat messages-debug > > > >> Debug line with all properties: > > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '<HOSTNAME>', > > > >> PRI: 6, > > > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > > > PROCID: > > > >> '-', MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.' > > > >> > > > >> Debug line with all properties: > > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '<HOSTNAME>', > > > >> PRI: 46, > > > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: > > > 'rsyslogd', > > > >> PROCID: '-', MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-', > > > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > pid="13432" > > > >> x-info=" > > > >> http://www.rsyslog.com";] (re)start' > > > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > > pid="13432" > > > >> x-info="http://www.rsyslog.com**";] (re)start' > > > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x- > > > pid="13432" > > > >> x-info="http://www.rsyslog.com**";] (re)start' > > > >> > > > >> Debug line with all properties: > > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: > > > '<HOSTNAME>', > > > >> PRI: 13, > > > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', > PROCID: '- > > > ', > > > >> MSGID: '-', > > > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-', > > > >> msg: ' hej' > > > >> escaped msg: ' hej' > > > >> rawmsg: '<13>Feb 3 11:14:30 root: hej' > > > >> > > > >> > > > >> Thanks in advance :-) ! > > > >> ~maymann > > > >> > > > >> > > > >> 2012/2/3 <[email protected]> > > > >> > > > >> oops, that should have been RSYSLOG_DebugFormat template. > > > >>> > > > >>> David Lang > > > >>> > > > >>> On Thu, 2 Feb 2012, [email protected] wrote: > > > >>> > > > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST) > > > >>> > > > >>>> From: [email protected] > > > >>>> > > > >>>> Reply-To: rsyslog-users <[email protected]> > > > >>>> To: rsyslog-users <[email protected]> > > > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > %IP% > > > >>>> > > > >>>> what does one of these messages look like if you write it out > with > > > the > > > >>>> RSYSLOG_DEBUG template? > > > >>>> > > > >>>> David Lang > > > >>>> > > > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote: > > > >>>> > > > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100 > > > >>>> > > > >>>>> From: Michael Maymann <[email protected]> > > > >>>>> Reply-To: rsyslog-users <[email protected]> > > > >>>>> To: rsyslog-users <[email protected]> > > > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% > == > > > %IP% > > > >>>>> > > > >>>>> Please... Anyone? > > > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" > <[email protected]> > > > wrote: > > > >>>>> > > > >>>>> Hi, > > > >>>>> > > > >>>>>> > > > >>>>>> got it started... but still ??? dir+logfiles are showing > up... > > > >>>>>> This is now my rsyslog.conf: > > > >>>>>> #SET PRIVILEGES > > > >>>>>> $PreserveFQDN on > > > >>>>>> $PrivDropToGroup <GROUP> > > > >>>>>> $PrivDropToUser <USER> > > > >>>>>> $DirCreateMode 0750 > > > >>>>>> $FileCreateMode 0640 > > > >>>>>> $UMASK 0027 > > > >>>>>> > > > >>>>>> #LOAD MODULES > > > >>>>>> $ModLoad imudp > > > >>>>>> $UDPServerRun 514 > > > >>>>>> $UDPServerAddress 127.0.0.1 > > > >>>>>> $ModLoad imtcp > > > >>>>>> $InputTCPServerRun 514 > > > >>>>>> > > > >>>>>> #SET DESTINATION FOR LOGS > > > >>>>>> $template > > > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > > >>>>>> $MONTH%_messages" > > > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/** > > > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*** > > > >>>>>> *secure" > > > >>>>>> $template > > > >>>>>> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > > >>>>>> _**maillog" > > > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>> cron" > > > >>>>>> $template > > > >>>>>> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%** > > > >>>>>> _**spooler" > > > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*** > > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>> boot.log" > > > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_**** > > > >>>>>> traps" > > > >>>>>> > > > >>>>>> $template > > > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_messages" > > > >>>>>> $template > > > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_secure" > > > >>>>>> $template > > > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_maillog" > > > >>>>>> $template > > > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_cron" > > > >>>>>> $template > > > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>> YEAR%.%$MONTH%_spooler" > > > >>>>>> $template > > > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_boot.log" > > > >>>>>> $template > > > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>> MONTH%_traps" > > > >>>>>> > > > >>>>>> #SET LOGGING CONDITIONS > > > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then > > > ?DYNmessages > > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' > > > then > > > >>>>>> ?DYNsecure > > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' > then > > > >>>>>> ?DYNmaillog > > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' > then > > > ?DYNcron > > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' > then > > > >>>>>> ?DYNspooler > > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' > then > > > >>>>>> ?DYNboot > > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > > > >>>>>> 'WARNING' > > > >>>>>> and $fromhost != '???' then ?DYNtraps > > > >>>>>> > > > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then > > > ?DYNIPmessages > > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' > > > then > > > >>>>>> ?DYNIPsecure > > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' > then > > > >>>>>> ?DYNIPmaillog > > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' > then > > > >>>>>> ?DYNIPcron > > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' > then > > > >>>>>> ?DYNIPspooler > > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' > then > > > >>>>>> ?DYNIPboot > > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text > == > > > >>>>>> 'WARNING' > > > >>>>>> and $fromhost == '???' then ?DYNIPtraps > > > >>>>>> > > > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - > but > > > all > > > >>>>>> creates > > > >>>>>> ??? dir+files... > > > >>>>>> What variable should I use to handle this properly ? > > > >>>>>> > > > >>>>>> > > > >>>>>> Thanks in advance :-) ! > > > >>>>>> ~maymann > > > >>>>>> > > > >>>>>> 2012/2/2 Michael Maymann <[email protected]> > > > >>>>>> > > > >>>>>> Hi, > > > >>>>>> > > > >>>>>>> > > > >>>>>>> David: thanks for your reply... > > > >>>>>>> Here is my new rsyslog.conf: > > > >>>>>>> #SET PRIVILEGES > > > >>>>>>> $PreserveFQDN on > > > >>>>>>> $PrivDropToGroup <GROUP> > > > >>>>>>> $PrivDropToUser <USER> > > > >>>>>>> $DirCreateMode 0750 > > > >>>>>>> $FileCreateMode 0640 > > > >>>>>>> $UMASK 0027 > > > >>>>>>> > > > >>>>>>> #LOAD MODULES > > > >>>>>>> $ModLoad imudp > > > >>>>>>> $UDPServerRun 514 > > > >>>>>>> $UDPServerAddress 127.0.0.1 > > > >>>>>>> $ModLoad imtcp > > > >>>>>>> $InputTCPServerRun 514 > > > >>>>>>> > > > >>>>>>> #SET DESTINATION FOR LOGS > > > >>>>>>> $template > > > >>>>>>> > DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%**** > > > >>>>>>> $MONTH%_messages" > > > >>>>>>> $template > > > >>>>>>> > > > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>> **secure" > > > >>>>>>> > > > >>>>>>> $template > > > >>>>>>> > > > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > > >>>>>>> maillog" > > > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*** > > > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_** > > > >>>>>>> cron" > > > >>>>>>> $template > > > >>>>>>> > > > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_** > > > >>>>>>> spooler" > > > >>>>>>> $template > > > >>>>>>> > > > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_**** > > > >>>>>>> boot.log" > > > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%** > > > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_* > > > >>>>>>> *traps" > > > >>>>>>> > > > >>>>>>> $template > > > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_messages" > > > >>>>>>> $template > > > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_secure" > > > >>>>>>> $template > > > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_maillog" > > > >>>>>>> $template > > > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_cron" > > > >>>>>>> $template > > > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST- > IP%_%$**** > > > >>>>>>> YEAR%.%$MONTH%_spooler" > > > >>>>>>> $template > > > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_boot.log" > > > >>>>>>> $template > > > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST- > > > IP%_%$YEAR%.%$**** > > > >>>>>>> MONTH%_traps" > > > >>>>>>> > > > >>>>>>> #SET LOGGING CONDITIONS > > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then > > > ?DYNmessages > > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != > '???' > > > then > > > >>>>>>> ?DYNsecure > > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNmaillog > > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNcron > > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' > then > > > >>>>>>> ?DYNspooler > > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' > > > then > > > >>>>>>> ?DYNboot > > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > text == > > > >>>>>>> 'WARNING' > > > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps > > > >>>>>>> > > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then > > > ?DYNIPmessages > > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == > '???' > > > then > > > >>>>>>> ?DYNIPsecure > > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPmaillog > > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPcron > > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' > then > > > >>>>>>> ?DYNIPspooler > > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' > > > then > > > >>>>>>> ?DYNIPboot > > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity- > text == > > > >>>>>>> 'WARNING' > > > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps > > > >>>>>>> > > > >>>>>>> but it fails...: > > > >>>>>>> # service rsyslog start > > > >>>>>>> Starting system logger: rsyslogd: run failed with error - > 2207 > > > (see > > > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn > what > > > that > > > >>>>>>> number > > > >>>>>>> means) > > > >>>>>>> [ > OK > > > ] > > > >>>>>>> > > > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format > > > correct or > > > >>>>>>> how > > > >>>>>>> is this done... > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> Thanks in advance :-) ! > > > >>>>>>> ~maymann > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> 2012/2/1 <[email protected]> > > > >>>>>>> > > > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote: > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>> Hi, > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>>>> I want to log information about hosts that are not > logging > > > with > > > >>>>>>>>> correct > > > >>>>>>>>> HOSTNAME. > > > >>>>>>>>> In my current setup, I get a dir "???" where these > host(s) > > > are > > > >>>>>>>>> logging > > > >>>>>>>>> to... > > > >>>>>>>>> > > > >>>>>>>>> I would like to change this to the hosts IP instead, > > > something > > > >>>>>>>>> like: > > > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a > > > value to > > > >>>>>>>> a > > > >>>>>>>> property. > > > >>>>>>>> > > > >>>>>>>> what you can do is to setup a different template and then > if > > > >>>>>>>> %fromhost% > > > >>>>>>>> is your special pattern you can log with this different > > > template. > > > >>>>>>>> > > > >>>>>>>> David Lang > > > >>>>>>>> ______________________________******_________________ > > > >>>>>>>> rsyslog mailing list > > > >>>>>>>> > > > > http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad > > > iscon.net/****mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a > > > discon.net/**mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > >>>>>>>> > > > > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a > > > discon.net/mailman/**listinfo/rsyslog> > > > >>>>>>>> > > > > <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > > scon.net/mailman/listinfo/rsyslog> > > > >>>>>>>> > > > > >>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> http://www.rsyslog.com/******professional- > > > services/<http://www.rsyslog.com/****professional-services/> > > > >>>>>>>> <http://**www.rsyslog.com/****professional- > > > services/<http://www.rsyslog.com/**professional-services/> > > > >>>>>>>> > > > > >>>>>>>> <http://**www.rsyslog.com/**professional- > > > **services/<http://www.rsyslog.com/professional-**services/> > > > >>>>>>>> <http:**//www.rsyslog.com/**professional- > > > services/<http://www.rsyslog.com/professional-services/> > > > >>>>>>>> > > > > >>>>>>>> > > > >>>>>>>>> > > > >>>>>>>>> > > > >>>>>>>> > > > >>>>>>>> > > > >>>>>>> > > > >>>>>>> ______________________________****_________________ > > > >>>>>> > > > >>>>> rsyslog mailing list > > > >>>>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > > con.net/**mailman/listinfo/rsyslog> > > > >>>>> > > > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > > scon.net/mailman/listinfo/rsyslog> > > > >>>>> > > > > >>>>> http://www.rsyslog.com/****professional- > > > services/<http://www.rsyslog.com/**professional-services/> > > > >>>>> <http://**www.rsyslog.com/professional- > > > **services/<http://www.rsyslog.com/professional-services/> > > > >>>>> > > > > >>>>> > > > >>>>> ______________________________****_________________ > > > >>>>> > > > >>>> rsyslog mailing list > > > >>>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > > con.net/**mailman/listinfo/rsyslog> > > > >>>> > > > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > > scon.net/mailman/listinfo/rsyslog> > > > >>>> > > > > >>>> http://www.rsyslog.com/****professional- > > > services/<http://www.rsyslog.com/**professional-services/> > > > >>>> <http://**www.rsyslog.com/professional- > > > **services/<http://www.rsyslog.com/professional-services/> > > > >>>> > > > > >>>> > > > >>>> ______________________________****_________________ > > > >>>> > > > >>> rsyslog mailing list > > > >>> > > > > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis > > > con.net/**mailman/listinfo/rsyslog> > > > >>> > > > > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi > > > scon.net/mailman/listinfo/rsyslog> > > > >>> > > > > >>> http://www.rsyslog.com/****professional- > > > services/<http://www.rsyslog.com/**professional-services/> > > > >>> <http://**www.rsyslog.com/professional- > > > **services/<http://www.rsyslog.com/professional-services/> > > > >>> > > > > >>> > > > >>> ______________________________**_________________ > > > >> rsyslog mailing list > > > >> > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > > n.net/mailman/listinfo/rsyslog> > > > >> http://www.rsyslog.com/**professional- > > > services/<http://www.rsyslog.com/professional-services/> > > > >> > > > >> ______________________________**_________________ > > > > rsyslog mailing list > > > > > > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco > > > n.net/mailman/listinfo/rsyslog> > > > > http://www.rsyslog.com/**professional- > > > services/<http://www.rsyslog.com/professional-services/> > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
