comments inline, I think this will answer your qustions. If not, ask more to
clarify.
You have a number of mistakes here
On Tue, 8 Jan 2013, Mathias Hollstein wrote:
# Write logs to template.
#
*.info
-?DailyPerHostLogs
The first issue is that the filter and the action need to be on the same line.
you also don't need the '-', rsyslog buffers by default.
### Is the *.* catch-all (line below) directive required prior to the
### :fromhost-blubb? Dunno! Does it override the *.info (line above)?
remember that each filter in the file is independant, if the filter matches, the
action on the line takes place, in either case, the next filter is then
processed.
#*.* -?DailyPerSpamvirIn
*.info :fromhost-ip, regex, "^spamvir[0-100].*$", contains, "exim"
-?DailyPerSpamvirIn
### Are these "discard actions" (& ~ ) actually required in hrere?
### I'm not sure about them at all. What do they mean at all?
& ~
Discard means that rsyslog stops looking at filters after this point. So if the
line matches the filter (in this case the filter is '&', which means the last
filter processed), then rsyslog will do nothing more with this log message and
move on to the next one.
*. info :fromhost-ip, regex, "^spamvir[0-100].*$"
-?DailyPerSpamvirOut
& ~
*.info :fromhost-ip, regex, "^spamvir[0-100].*$"
-?DailyPerSpamvirCont
& ~
:fromhost-ip, regex, "^spamvir[0-100].*$"
-?DailyPerSpamvirSa
& ~
:fromhost-ip, regex, "^spamvir[0-100].*$"
-?DailyPerSpamvirSaErr
& ~
again, you have the actions on separate lines from the filters, this won' work.
regex matches are expensive.
"fromhost-ip" is always an IP address, it's never going to match a letter.
"fromhost-ip" is the IP of the box that sent this message to you. If the message
is from the box you are on it's 127.0.0.1, if you have messages relayed to you,
it's the IP address of the relay box.
"fromhost" is the reverse lookup of the fromhost-ip. This is expensive (DNS or
hosts queries)
"hostname" is the name that's in the log message after the timestamp.
### The relay configuration may cause problems since all facilities
### are then aggregated to one single "DailyPerRelays"-destination
### file. Right?
see above for the explination of what fromhost-ip means. it's probably not what
you want.
:fromhost-ip, regex, "^relay[0-100].*$"
-?DailyPerRelays
& ~
:fromhost-ip, regex, "^XXX.XXX.XXX.*$"
-?DailyPerRelays
& ~
:fromhost-ip, regex, "^frontvir[12].*$"
-?DailyPerFrontvir
& ~
note that since you throw away the log message after each filter, a given log
message is only going to be logged once.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
