Thanks for your link, i did read it. First i the logging to a file line:
if $fromhost-ip == '192.168.1.75' then { \
action(type="omfile" file="/var/log/remotefile02") \
stop \
}
However, this isn't liked by rsyslogd, what is wrong with this?
Thanks, Reinoud.
5787.347979514:main thread: cfline: 'if $fromhost-ip == '192.168.1.75' then
{ action(type="omfile" file="/var/log/remotefile02") stop }'
5787.347995507:main thread: - general expression-based filter
5787.348006472:main thread: calling expression parser, pp 0xbf83dd8c ('if
$fromhost-ip == '192.168.1.75' then { action(type="omfile"
file="/var/log/remotefile02") stop }')
5787.348019184:main thread: skipped whitespace, stream now '$fromhost-ip ==
'192.168.1.75' then { action(type="omfile" file="/var/log/remotefile02")
stop }'
5787.348031615:main thread: ctok_token 0x97b0a60: token: 13
5787.348044536:main thread: expr 0x97b09e8: MSGVAR
5787.348057945:main thread: skipped whitespace, stream now '==
'192.168.1.75' then { action(type="omfile" file="/var/log/remotefile02")
stop }'
5787.348068282:main thread: ctok_token 0x97b0a60: token: 100
5787.348080225:main thread: expr 0x97b09e8: cmp
5787.348093145:main thread: skipped whitespace, stream now ''192.168.1.75'
then { action(type="omfile" file="/var/log/remotefile02") stop }'
5787.348104390:main thread: ctok_token 0x97b0ba8: token: 14
5787.348116123:main thread: expr 0x97b09e8: simpstr
5787.348128904:main thread: skipped whitespace, stream now 'then {
action(type="omfile" file="/var/log/remotefile02") stop }'
5787.348139031:main thread: skipped whitespace, stream now 'then {
action(type="omfile" file="/var/log/remotefile02") stop }'
5787.348150485:main thread: ctok_token 0x97b0ba8: token: 18
5787.348163965:main thread: expr 0x97b09e8: successfully parsed/created
expression
5787.348177234:main thread: vmprg 0x97b0a48: VM Program:
5787.348190993:main thread: vmop 0x97b0b50: push_msgvar fromhost-ip[cstr]
5787.348205450:main thread: vmop 0x97b0cc0: push_const 192.168.1.75[cstr]
5787.348218371:main thread: vmop 0x97b0d18: cmp_==
5787.348231361:main thread: tried selector action for builtin-file: -2001
5787.348242047:main thread: tried selector action for builtin-fwd: -2001
5787.348252104:main thread: tried selector action for builtin-shell: -2001
5787.348261812:main thread: tried selector action for builtin-discard: -2001
5787.348271799:main thread: tried selector action for builtin-usrmsg: -2001
5787.348281368:main thread: config line NOT successfully processed
5787.348291634:main thread: Called LogError, msg: the last error occured in
/etc/rsyslog.conf, line 35
On Fri, Apr 26, 2013 at 6:33 AM, Rainer Gerhards
<[email protected]>wrote:
> On Thu, 2013-04-25 at 16:56 -0700, Reinoud Koornstra wrote:
> > Hi Everyone,
> >
> > I've been trying to get everything from some host to a their hostfile.
> > In the rsyslog.conf i have this:
> >
> > $template PerHostLog,"/var/log/remote-hosts/%HOSTNAME%.log"
> > if $fromhost-ip startswith '192.168.1.' then -?PerHostLog
> >
> > However, i still get messages from 192.168.1.75 for example in
> > /var/log/syslog or in /var/log/debug instead of /var/log/remote-hosts/
> > 192.168.1.75 for example.
> > Hence, log messages from 192.168.1.75 are scattered in several log file.
> > I want all messages from that host to that specific file and the current
> > template isn't cutting it obviously.
> > The same holds for other hosts on that subnet.
> >
> > What am I doing wrong in my template?
> > How to make everything from 192.168.1.75 goes to one file?
> You are probably interested in this part of the doc (read at least the
> part on split logfiles):
> http://www.rsyslog.com/doc/multi_ruleset.html
> Rainer
> > Thanks,
> >
> > Reinoud.
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
