On Wed, 2013-02-27 at 12:05 +0100, Xavier Fustero wrote: > Hi, > > I have an rsyslog 4.2 in production mixing clients from the same network > and clients from external network. Both are using rsyslog with stunnel but > we encrypt the traffic using stunnel for the guys in the external network. > In the central rsyslog server I have the following condition: > > if \ > $fromhost-ip != '127.0.0.1' \ > and \ > (\ > $syslogfacility-text == 'local0' \ > or \ > $syslogfacility-text == 'local1' \ > or \ > $syslogfacility-text == 'local2' \ > )\ > then ?Dyn_AppLogs > & ~ > > This seems to be working fine. The messages coming from stunnel clients > using local0,1 or 2, are sent to this Dyn_AppLogs template and nothing from > localhost is filtered here. > > However, I am testing the rsyslog in the Ubuntu 12.04 distribution (5.8) > and the same rule doesn't work. Everything coming from stunnel client is > not filtered anymore to this template. Apparently it comes from localhost. > This I could understand but what puzzle me is that it is behaves different > in 4.2. > > I tested the 5.8 sending the following log: > > logger -p local0.info -t rails "zumzum" > > and below I output some debug lines to show it comes from 127.0.0.1. > > Here my two related questions: > * > Q1*. Is there an explanation why it works on rsyslog4.2? > *Q2*. Should I replace fromhost-ip to hostname to make it work on 5.8? > Something like if $hostname != $mycentral_rsyslog_server > This is a bit paint as I am using several central rsyslog servers so > I will need to script something at boot time to write the proper central > rsyslog. >
To be honest, hope you mind the bluntness: this is both with outdated (even heavily) versions. If that's a real corporate guy's question, I'd suggest to invest into some of our professional support packages. The question looks interesting, but I am far to busy at the moment to dig into that old stuff. I also doubt it has benefit for the community at large. Sorry for that, Rainer > Thanks a log, > Xavi > > > 0807.748910864:7fdaa91d4700: relp session read 88 octets, buf '2 syslog 75 > <134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/rsyslog: zumzum > > ' > 0807.748924923:7fdaa91d4700: relp engine is dispatching frame with command > 'syslog' > 0807.748936764:7fdaa91d4700: in 'syslog' command handler > 0807.748960975:7fdaa91d4700: main Q: entry added, size now log 1, phys 1 > entries > 0807.748985900:7fdaa91d4700: main Q: EnqueueMsg advised worker start > 0807.749016418:7fdaa91d4700: tcpSend returns 15 > 0807.749029893:7fdaa91d4700: in destructor: sendbuf 0x7fdaa0000b60 > 0807.749042247:7fdaa91d4700: relpSendqIsEmpty() returns 1 > 0807.749053714:7fdaa91d4700: relpSendqIsEmpty() returns 1 > 0807.749065005:7fdaa91d4700: ***<librelp> calling select, active file > descriptors (max 17): 7 8 15 17 > 0807.749107166:7fdaab809700: wti 0x1a03320: worker awoke from idle > processing > 0807.749128214:7fdaab809700: we deleted 0 objects and enqueued 0 objects > 0807.749140217:7fdaab809700: delete batch from store, new sizes: log 1, > phys 1 > 0807.749157017:7fdaab809700: msg parser: flags 30, from '*127.0.0.1*', msg > '<134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/r' > 0807.749169457:7fdaab809700: parse using parser list 0x19f8080 (the default > list). > 0807.749183208:7fdaab809700: dropped LF at very end of message > (DropTrailingLF is set) > 0807.749196104:7fdaab809700: Parser 'rsyslog.rfc5424' returned -2160 > 0807.749208600:7fdaab809700: Message will now be parsed by the legacy > syslog parser (one size fits all... ;)). > 0807.749245340:7fdaab809700: MsgSetTAG in: len 6, pszBuf: rails: > 0807.749257196:7fdaab809700: MsgSetTAG exit: pMsg->iLenTAG 6, > pMsg->TAG.szBuf: rails: > 0807.749268854:7fdaab809700: Parser 'rsyslog.rfc3164' returned 0 > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
