Hi, just wanted to say that using HOSTNAME as I asked in my Q2 actually works.
Regards, Xavi On 27 February 2013 12:09, Rainer Gerhards <[email protected]> wrote: > On Wed, 2013-02-27 at 12:05 +0100, Xavier Fustero wrote: > > Hi, > > > > I have an rsyslog 4.2 in production mixing clients from the same network > > and clients from external network. Both are using rsyslog with stunnel > but > > we encrypt the traffic using stunnel for the guys in the external > network. > > In the central rsyslog server I have the following condition: > > > > if \ > > $fromhost-ip != '127.0.0.1' \ > > and \ > > (\ > > $syslogfacility-text == 'local0' \ > > or \ > > $syslogfacility-text == 'local1' \ > > or \ > > $syslogfacility-text == 'local2' \ > > )\ > > then ?Dyn_AppLogs > > & ~ > > > > This seems to be working fine. The messages coming from stunnel clients > > using local0,1 or 2, are sent to this Dyn_AppLogs template and nothing > from > > localhost is filtered here. > > > > However, I am testing the rsyslog in the Ubuntu 12.04 distribution (5.8) > > and the same rule doesn't work. Everything coming from stunnel client is > > not filtered anymore to this template. Apparently it comes from > localhost. > > This I could understand but what puzzle me is that it is behaves > different > > in 4.2. > > > > I tested the 5.8 sending the following log: > > > > logger -p local0.info -t rails "zumzum" > > > > and below I output some debug lines to show it comes from 127.0.0.1. > > > > Here my two related questions: > > * > > Q1*. Is there an explanation why it works on rsyslog4.2? > > *Q2*. Should I replace fromhost-ip to hostname to make it work on 5.8? > > Something like if $hostname != $mycentral_rsyslog_server > > This is a bit paint as I am using several central rsyslog servers > so > > I will need to script something at boot time to write the proper central > > rsyslog. > > > > To be honest, hope you mind the bluntness: this is both with outdated > (even heavily) versions. If that's a real corporate guy's question, I'd > suggest to invest into some of our professional support packages. The > question looks interesting, but I am far to busy at the moment to dig > into that old stuff. I also doubt it has benefit for the community at > large. > > Sorry for that, > Rainer > > Thanks a log, > > Xavi > > > > > > 0807.748910864:7fdaa91d4700: relp session read 88 octets, buf '2 syslog > 75 > > <134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/rsyslog: > zumzum > > > > ' > > 0807.748924923:7fdaa91d4700: relp engine is dispatching frame with > command > > 'syslog' > > 0807.748936764:7fdaa91d4700: in 'syslog' command handler > > 0807.748960975:7fdaa91d4700: main Q: entry added, size now log 1, phys 1 > > entries > > 0807.748985900:7fdaa91d4700: main Q: EnqueueMsg advised worker start > > 0807.749016418:7fdaa91d4700: tcpSend returns 15 > > 0807.749029893:7fdaa91d4700: in destructor: sendbuf 0x7fdaa0000b60 > > 0807.749042247:7fdaa91d4700: relpSendqIsEmpty() returns 1 > > 0807.749053714:7fdaa91d4700: relpSendqIsEmpty() returns 1 > > 0807.749065005:7fdaa91d4700: ***<librelp> calling select, active file > > descriptors (max 17): 7 8 15 17 > > 0807.749107166:7fdaab809700: wti 0x1a03320: worker awoke from idle > > processing > > 0807.749128214:7fdaab809700: we deleted 0 objects and enqueued 0 objects > > 0807.749140217:7fdaab809700: delete batch from store, new sizes: log 1, > > phys 1 > > 0807.749157017:7fdaab809700: msg parser: flags 30, from '*127.0.0.1*', > msg > > '<134>2013-02-27T10:26:47.734517+00:00 rsyslog rails:global/r' > > 0807.749169457:7fdaab809700: parse using parser list 0x19f8080 (the > default > > list). > > 0807.749183208:7fdaab809700: dropped LF at very end of message > > (DropTrailingLF is set) > > 0807.749196104:7fdaab809700: Parser 'rsyslog.rfc5424' returned -2160 > > 0807.749208600:7fdaab809700: Message will now be parsed by the legacy > > syslog parser (one size fits all... ;)). > > 0807.749245340:7fdaab809700: MsgSetTAG in: len 6, pszBuf: rails: > > 0807.749257196:7fdaab809700: MsgSetTAG exit: pMsg->iLenTAG 6, > > pMsg->TAG.szBuf: rails: > > 0807.749268854:7fdaab809700: Parser 'rsyslog.rfc3164' returned 0 > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
