Yes, if you tell rsyslog to use a template that you have not defined, you will
basically make the rest of the configuration past that point be ignored
I believe that on line 37 there should be a comma between mytemplate and the
quote
$template mytemplate,"/var/log/172.20.54.212/syslog"
although, I'll point out there is nothing variable in that template.
you probably want to replace the IP address with %fromhost-ip%
if ou really do want o have it be a single file, don't use the dynafile template
mechanism, just specify the filename
*.* /var/log/172.20.54.212/syslog
you also need to put the filters to discard the messages that you don't want to
see before the lines that write those messages out.
David Lang
On Tue, 3 Sep 2013, Mayur Patil wrote:
Thanx sir for reply.
This is my server config file http://pastebin.com/C1SDt08y
message I remember is that it does not found mytemplate
that i mentioned on line 30.
I setup rsyslog using this blog
http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/
Please guide,
Thanks !!
On Tue, Sep 3, 2013 at 11:57 AM, David Lang <[email protected]> wrote:
It's really hard to diagnose your problem without you posting your config.
did you check to see if there are any error messages at startup that could
indicate that you have a typo in the config?
David Lang
On Tue, 3 Sep 2013, Mayur Patil wrote:
Hi,
I have done config as per your said but when I create filter to stop
receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc
it stops logging all components logs; thing to wonder is that I am using
Static mode of networking then why I am facing such problems?
Need guidance.
Thanks !
*
--
*
*Cheers,
Mayur*
On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected]>**
wrote:
Hi,
Thanks David and Radu sir.
I will try this and report ASAP.
Thanks for the help !!
On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected]>*
*wrote:
Just a quick addition: if the config options that David gave don't work,
try preceding the message with a space, like:
:msg, startswith, ' DHCPINFORM' ~
More information about this behavior can be found here:
http://www.rsyslog.com/log-**normalization-and-the-leading-**space/<http://www.rsyslog.com/log-normalization-and-the-leading-space/>
Best regards,
Radu
2013/9/2 David Lang <[email protected]>
what version are you running?
are there any dhcp logs that you care about?
:msg, startswith, 'DHCPINFORM' ~
:msg, startswith, 'DHCPDISCOVER' ~
:msg, startswith, 'DHCPREQUEST' ~
this will eliminate all the dhcp messages you list. I also _strongly_
recommend disabling the repeated message option (you need to do that on
the
sending machine as well) to eliminate the 'last message repeated'
lines,
which are pretty worthless
I'll tale a look at your attachment later today if I can.
David Lang
On Mon, 2 Sep 2013, Mayur Patil wrote:
Date: Mon, 2 Sep 2013 12:56:26 +0530
From: Mayur Patil <[email protected]>
To: rsyslog-users <[email protected]>, David Lang <
[email protected]>
Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp
messages &
firewall disturbance
Hello David sir,
Thanks for the help and sorry for late reply.
Please have a look at the logs that I want to avoid
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0:
unknown
subnet for client address 10.1.53.58
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0:
unknown
subnet for client address 10.1.53.58
Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0:
unknown
subnet for client address 10.1.55.55
Sep 2 12:39:26 clc dhcpd: last message repeated 3 times
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
unknown
subnet for client address 10.1.54.159
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
unknown
subnet for client address 10.1.54.159
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
unknown
subnet for client address 10.1.53.177
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
unknown
subnet for client address 10.1.53.177
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0:
unknown
subnet for client address 10.1.54.45
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0:
unknown
subnet for client address 10.1.54.45
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0:
unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0:
unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0:
unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0:
unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
eth0:
network euca: no free leases
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
eth0:
network euca: no free leases
The pattern I observe is each message repeated two times.
This is my rSyslog SERVER conf file http://fpaste.org/36428/
I am using the firewall GUI on the rSyslog server.
For incoming traffic policy,
I have allowed the firewall ports as per the screenshot; please find
attachment.
Seeking for guidance,
Thanks !!
*--
*
*Cheers,
Mayur*
On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote:
the best way is to put a filter on your central server that detects
these
messages that you don't care about and discards them (the 'stop'
action
on
7.x or the '~' action on earlier versions)
if you post a sample of the logs that you don't care about, we may be
able
to help you craft the filters.
as for your firewall problem, we would have to see what rules you are
putting in your firewall, and how you are forwarding the messages. If
you
are using @ for your forwarding, you need to allow UDP 514 on your
server,
but once you do that it eill work.
David Lang
On Fri, 30 Aug 2013, Mayur Patil wrote:
Hello All,
[1] I have configured my three machines for rsyslog exportation to
remote
server. My syslog file size has crossed over 150 MB which
consists
of
useless dhcpd requests. I want to know is there any reliable
way
to
stop
dhcp logging ? I googled but not found satisfactory
solution.
[2] I am unable to export logs on rSyslog server if I enable
firewall.
Though I
allow syslog and required services port to allowed inbound
traffic
policy
I am unable to get logs on server. This could be possible iff
I
disable the
firewall. What is going wrong??
Seeking for guidance,
Thanks !
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
