Actually I am trying to collect logs from two IP addresses 172.20.54.211, 172.20.54.212
I checked with comma(,) between two IP addresses but not worked. As you said, for my understanding I need to follow these steps 1. Remove dynamic template lines from file and add following lines *.* /var/log/172.20.54.212/syslog *.* /var/log/172.20.54.211/syslog <http://172.20.54.212/syslog> 2 put the following lines before the above mentioned lines :msg, startswith, 'DHCPINFORM' ~ :msg, startswith, 'DHCPDISCOVER' ~ :msg, startswith, 'DHCPREQUESTS' ~ 3. Then check out for result. the line I observed while starting syslog Sep 3 12:53:24 logserver rsyslogd-2039: Could no open output pipe '/dev/xconsole': No such file or directory [try http://www.rsyslog.com/e/2039 ] Please correct if I am wrong ! Thakx ! * -- * *Cheers, mayur* On Tue, Sep 3, 2013 at 12:28 PM, David Lang <[email protected]> wrote: > Yes, if you tell rsyslog to use a template that you have not defined, you > will basically make the rest of the configuration past that point be ignored > > I believe that on line 37 there should be a comma between mytemplate and > the quote > > $template > mytemplate,"/var/log/172.20.**54.212/syslog<http://172.20.54.212/syslog> > " > > although, I'll point out there is nothing variable in that template. > > you probably want to replace the IP address with %fromhost-ip% > > if ou really do want o have it be a single file, don't use the dynafile > template mechanism, just specify the filename > > *.* /var/log/172.20.54.212/syslog > > you also need to put the filters to discard the messages that you don't > want to see before the lines that write those messages out. > > > David Lang > > On Tue, 3 Sep 2013, Mayur Patil wrote: > > Thanx sir for reply. >> >> This is my server config file http://pastebin.com/C1SDt08y >> >> message I remember is that it does not found mytemplate >> >> that i mentioned on line 30. >> >> I setup rsyslog using this blog >> http://www.thegeekstuff.com/**2012/01/rsyslog-remote-**logging/<http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/> >> >> Please guide, >> >> Thanks !! >> >> >> On Tue, Sep 3, 2013 at 11:57 AM, David Lang <[email protected]> wrote: >> >> It's really hard to diagnose your problem without you posting your >>> config. >>> >>> did you check to see if there are any error messages at startup that >>> could >>> indicate that you have a typo in the config? >>> >>> David Lang >>> >>> >>> On Tue, 3 Sep 2013, Mayur Patil wrote: >>> >>> Hi, >>> >>>> >>>> I have done config as per your said but when I create filter to stop >>>> receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc >>>> >>>> it stops logging all components logs; thing to wonder is that I am >>>> using >>>> Static mode of networking then why I am facing such problems? >>>> >>>> Need guidance. >>>> >>>> Thanks ! >>>> * >>>> -- >>>> * >>>> *Cheers, >>>> Mayur* >>>> >>>> >>>> >>>> On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected] >>>> >** >>>> wrote: >>>> >>>> Hi, >>>> >>>>> >>>>> Thanks David and Radu sir. >>>>> >>>>> I will try this and report ASAP. >>>>> >>>>> Thanks for the help !! >>>>> >>>>> >>>>> On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected] >>>>> >* >>>>> *wrote: >>>>> >>>>> >>>>> Just a quick addition: if the config options that David gave don't >>>>> work, >>>>> >>>>>> try preceding the message with a space, like: >>>>>> >>>>>> :msg, startswith, ' DHCPINFORM' ~ >>>>>> >>>>>> >>>>>> More information about this behavior can be found here: >>>>>> http://www.rsyslog.com/log-****normalization-and-the-leading-** >>>>>> **space/<http://www.rsyslog.com/log-**normalization-and-the-leading-**space/> >>>>>> <http://www.rsyslog.**com/log-normalization-and-the-**leading-space/<http://www.rsyslog.com/log-normalization-and-the-leading-space/> >>>>>> > >>>>>> >>>>>> >>>>>> Best regards, >>>>>> Radu >>>>>> >>>>>> >>>>>> 2013/9/2 David Lang <[email protected]> >>>>>> >>>>>> what version are you running? >>>>>> >>>>>>> >>>>>>> are there any dhcp logs that you care about? >>>>>>> >>>>>>> :msg, startswith, 'DHCPINFORM' ~ >>>>>>> :msg, startswith, 'DHCPDISCOVER' ~ >>>>>>> :msg, startswith, 'DHCPREQUEST' ~ >>>>>>> >>>>>>> this will eliminate all the dhcp messages you list. I also _strongly_ >>>>>>> recommend disabling the repeated message option (you need to do that >>>>>>> on >>>>>>> >>>>>>> the >>>>>> >>>>>> sending machine as well) to eliminate the 'last message repeated' >>>>>>> lines, >>>>>>> which are pretty worthless >>>>>>> >>>>>>> >>>>>>> I'll tale a look at your attachment later today if I can. >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> On Mon, 2 Sep 2013, Mayur Patil wrote: >>>>>>> >>>>>>> Date: Mon, 2 Sep 2013 12:56:26 +0530 >>>>>>> >>>>>>> From: Mayur Patil <[email protected]> >>>>>>>> To: rsyslog-users <[email protected]>, David Lang < >>>>>>>> >>>>>>>> [email protected]> >>>>>>> >>>>>> >>>>>> Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp >>>>>>> >>>>>>>> >>>>>>>> messages & >>>>>>> >>>>>> >>>>>> firewall disturbance >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hello David sir, >>>>>>>> >>>>>>>> Thanks for the help and sorry for late reply. >>>>>>>> >>>>>>>> Please have a look at the logs that I want to avoid >>>>>>>> >>>>>>>> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.53.58 >>>>>>>> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.53.58 >>>>>>>> Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.55.55 >>>>>>>> Sep 2 12:39:26 clc dhcpd: last message repeated 3 times >>>>>>>> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >>>>>>>> >>>>>>>> unknown >>>>>>> >>>>>> >>>>>> subnet for client address 10.1.54.159 >>>>>>> >>>>>>>> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >>>>>>>> >>>>>>>> unknown >>>>>>> >>>>>> >>>>>> subnet for client address 10.1.54.159 >>>>>>> >>>>>>>> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >>>>>>>> >>>>>>>> unknown >>>>>>> >>>>>> >>>>>> subnet for client address 10.1.53.177 >>>>>>> >>>>>>>> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >>>>>>>> >>>>>>>> unknown >>>>>>> >>>>>> >>>>>> subnet for client address 10.1.53.177 >>>>>>> >>>>>>>> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.54.45 >>>>>>>> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.54.45 >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >>>>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >>>>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.55.31 >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.55.31 >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.54.55 >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: >>>>>>>> unknown >>>>>>>> subnet for client address 10.1.54.55 >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >>>>>>>> >>>>>>>> eth0: >>>>>>> >>>>>> >>>>>> network euca: no free leases >>>>>>> >>>>>>>> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >>>>>>>> >>>>>>>> eth0: >>>>>>> >>>>>> >>>>>> network euca: no free leases >>>>>>> >>>>>>>> >>>>>>>> The pattern I observe is each message repeated two times. >>>>>>>> >>>>>>>> This is my rSyslog SERVER conf file http://fpaste.org/36428/ >>>>>>>> >>>>>>>> I am using the firewall GUI on the rSyslog server. >>>>>>>> >>>>>>>> For incoming traffic policy, >>>>>>>> >>>>>>>> I have allowed the firewall ports as per the screenshot; please >>>>>>>> find >>>>>>>> attachment. >>>>>>>> >>>>>>>> Seeking for guidance, >>>>>>>> >>>>>>>> Thanks !! >>>>>>>> >>>>>>>> *-- >>>>>>>> * >>>>>>>> *Cheers, >>>>>>>> Mayur* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote: >>>>>>>> >>>>>>>> the best way is to put a filter on your central server that detects >>>>>>>> >>>>>>>> these >>>>>>> >>>>>> >>>>>> messages that you don't care about and discards them (the 'stop' >>>>>>> >>>>>>>> >>>>>>>>> action >>>>>>>> >>>>>>> >>>>>> on >>>>>>> >>>>>>>> 7.x or the '~' action on earlier versions) >>>>>>>>> >>>>>>>>> if you post a sample of the logs that you don't care about, we may >>>>>>>>> be >>>>>>>>> able >>>>>>>>> to help you craft the filters. >>>>>>>>> >>>>>>>>> as for your firewall problem, we would have to see what rules you >>>>>>>>> are >>>>>>>>> putting in your firewall, and how you are forwarding the messages. >>>>>>>>> If >>>>>>>>> >>>>>>>>> you >>>>>>>> >>>>>>> >>>>>> are using @ for your forwarding, you need to allow UDP 514 on your >>>>>>> >>>>>>>> server, >>>>>>>>> but once you do that it eill work. >>>>>>>>> >>>>>>>>> David Lang >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, 30 Aug 2013, Mayur Patil wrote: >>>>>>>>> >>>>>>>>> Hello All, >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] I have configured my three machines for rsyslog exportation >>>>>>>>>> to >>>>>>>>>> remote >>>>>>>>>> >>>>>>>>>> server. My syslog file size has crossed over 150 MB which >>>>>>>>>> consists >>>>>>>>>> of >>>>>>>>>> >>>>>>>>>> useless dhcpd requests. I want to know is there any >>>>>>>>>> reliable >>>>>>>>>> >>>>>>>>>> way >>>>>>>>> >>>>>>>> >>>>>> to >>>>>>> >>>>>>>> stop >>>>>>>>>> >>>>>>>>>> dhcp logging ? I googled but not found satisfactory >>>>>>>>>> >>>>>>>>>> solution. >>>>>>>>> >>>>>>>> >>>>>> >>>>>>> [2] I am unable to export logs on rSyslog server if I enable >>>>>>>>>> >>>>>>>>>> firewall. >>>>>>>>> >>>>>>>> >>>>>> Though I >>>>>>> >>>>>>>> >>>>>>>>>> allow syslog and required services port to allowed inbound >>>>>>>>>> traffic >>>>>>>>>> policy >>>>>>>>>> >>>>>>>>>> I am unable to get logs on server. This could be possible >>>>>>>>>> iff >>>>>>>>>> I >>>>>>>>>> disable the >>>>>>>>>> >>>>>>>>>> firewall. What is going wrong?? >>>>>>>>>> >>>>>>>>>> Seeking for guidance, >>>>>>>>>> >>>>>>>>>> Thanks ! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> >>>>> >>>> >> >> >> -- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman> _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
