Hi,
I have an rsyslog 4.2 in production mixing clients from the same network
and clients from external network. Both are using rsyslog with stunnel but
we encrypt the traffic using stunnel for the guys in the external network.
In the central rsyslog server I have the following condition:
if \
$fromhost-ip != '127.0.0.1' \
and \
(\
$syslogfacility-text == 'local0' \
or \
$syslogfacility-text == 'local1' \
or \
$syslogfacility-text == 'local2' \
)\
then ?Dyn_AppLogs
& ~
This seems to be working fine. The messages coming from stunnel clients
using local0,1 or 2, are sent to this Dyn_AppLogs template and nothing from
localhost is filtered here.
However, I am testing the rsyslog in the Ubuntu 12.04 distribution (5.8)
and the same rule doesn't work. Everything coming from stunnel client is
not filtered anymore to this template. Apparently it comes from localhost.
This I could understand but what puzzle me is that it is behaves different
in 4.2.
I tested the 5.8 sending the following log:
logger -p local0.info -t rails "zumzum"
and below I output some debug lines to show it comes from 127.0.0.1.
Here my two related questions:
*
Q1*. Is there an explanation why it works on rsyslog4.2?
*Q2*. Should I replace fromhost-ip to hostname to make it work on 5.8?
Something like if $hostname != $mycentral_rsyslog_server
This is a bit paint as I am using several central rsyslog servers so
I will need to script something at boot time to write the proper central
rsyslog.
Thanks a log,
Xavi
0807.748910864:7fdaa91d4700: relp session read 88 octets, buf '2 syslog 75
<134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/rsyslog: zumzum
'
0807.748924923:7fdaa91d4700: relp engine is dispatching frame with command
'syslog'
0807.748936764:7fdaa91d4700: in 'syslog' command handler
0807.748960975:7fdaa91d4700: main Q: entry added, size now log 1, phys 1
entries
0807.748985900:7fdaa91d4700: main Q: EnqueueMsg advised worker start
0807.749016418:7fdaa91d4700: tcpSend returns 15
0807.749029893:7fdaa91d4700: in destructor: sendbuf 0x7fdaa0000b60
0807.749042247:7fdaa91d4700: relpSendqIsEmpty() returns 1
0807.749053714:7fdaa91d4700: relpSendqIsEmpty() returns 1
0807.749065005:7fdaa91d4700: ***<librelp> calling select, active file
descriptors (max 17): 7 8 15 17
0807.749107166:7fdaab809700: wti 0x1a03320: worker awoke from idle
processing
0807.749128214:7fdaab809700: we deleted 0 objects and enqueued 0 objects
0807.749140217:7fdaab809700: delete batch from store, new sizes: log 1,
phys 1
0807.749157017:7fdaab809700: msg parser: flags 30, from '*127.0.0.1*', msg
'<134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/r'
0807.749169457:7fdaab809700: parse using parser list 0x19f8080 (the default
list).
0807.749183208:7fdaab809700: dropped LF at very end of message
(DropTrailingLF is set)
0807.749196104:7fdaab809700: Parser 'rsyslog.rfc5424' returned -2160
0807.749208600:7fdaab809700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
0807.749245340:7fdaab809700: MsgSetTAG in: len 6, pszBuf: rails:
0807.749257196:7fdaab809700: MsgSetTAG exit: pMsg->iLenTAG 6,
pMsg->TAG.szBuf: rails:
0807.749268854:7fdaab809700: Parser 'rsyslog.rfc3164' returned 0
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
