If you want to use multiple instructions, you may want to use this syntax:
if $fromhost-ip == '10.XX.X' then {
action(type="omfile" file="/opt/apps/syslog/fw1-admin.log")
stop
}
There's an example there in the doc:
https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html
Maybe that one might work as well, but I haven't tested yet.
if $fromhost-ip == '10.XX.X' then {
/opt/apps/syslog/fw1-admin.log
stop
}
Flo
On Thu, May 3, 2018 at 6:48 PM, Haary rock <[email protected]> wrote:
> Flo,
>
> I tried that then I started getting this error while I restart the service
>
>
> May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector
> line - ';template' expected [v8.24.0]
>
> May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
> /etc/rsyslog.d/remotelog.conf, on or before line 54: errors occured in file
> '/etc/rsyslog.d/remotelog.conf' around line 54 [v8.24.0 try
> http://www.rsyslog.com/e/2207 ]
>
> May 03 12:40:11 Hostname rsyslogd[30213]: invalid character in selector
> line - ';template' expected [v8.24.0]
>
> May 03 12:40:11 Hostname rsyslogd[30213]: error during parsing file
> /etc/rsyslog.d/remotelog.conf, on or before line 55: errors occured in file
> '/etc/rsyslog.d/remotelog.conf' around line 55 [v8.24.0 try
> http://www.rsyslog.com/e/2207 ]
>
> This is what I added in the .conf file
>
> if $fromhost-ip == '10.XX.X' then /opt/apps/syslog/fw1-admin.log. stop
> if $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm-core.log stop
> if $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw1-comm-dist.log stop
> if $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-admin.log stop
> if $fromhost-ip == '10.X.X.X' then /opt/apps/syslog/fw2-comm-core.log stop
>
> but as soon as I remove the stop its started the service without the error
> ... may be I am syntax is not correct ..?
>
> Thanks in advance for any help ,really appreciated
>
> Regards
> Haary
>
> On Thursday, May 3, 2018, 12:25:29 PM EDT, Haary rock via rsyslog <
> [email protected]> wrote:
>
>
> Thanks I will try that for each entries ...
> RegardsHarry..
> On Thursday, May 3, 2018, 10:36:07 AM EDT, Flo Rance <
> [email protected]> wrote:
>
> You should give a condition, otherwise it will stop processing for all
> messages.
>
> E.g. if $fromhost-ip contains '10..x.x.x' then stop
>
> On Thu, May 3, 2018 at 3:55 PM, Haary rock via rsyslog <
> [email protected]> wrote:
>
> Sorry I am reposting since it got mangled the texts ..
>
> the problem is if I use the &~ at the end of the line .. its doesn't stop
> sending the logs to /var/log/messages ..
>
> but if I use the "stop" at the end of the file .. its stops sending
> messages to /var/log/messages completely .
>
> &~ used to work on previous version of syslog ..but its not working on
> the rsyslogd 8.24.0 (RHEL 7.0)
> I have my .conf file here
>
> #This will allow this server to log the remotely forwarded logs
>
> $FileCreateMode 0664
>
> $fileOwner xxxx
>
> $FileGroup xxx
>
> $dirOwner xxxx
>
> #
>
> $template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
>
> if $fromhost-ip startswith '192.168.' then -?FilenameTemplateOne
>
> #
>
> $template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"
>
> if $fromhost-ip startswith '209.95.224.' then -?FilenameTemplateOne
>
> #
>
> if $fromhost-ip == '10.x.x.x’ then /opt/apps/syslog/Fw1.log
>
> if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/fw2.log
>
> if $fromhost-ip == '10..x.x.x’ then /opt/apps/syslog/mainsw1.log
>
> if $fromhost-ip == '10..x.x.x’' then /opt/apps/syslog/secswitch.log
>
> stop
>
> &~ used to work on previous version of syslog ..but its not working on the
> rsyslogd 8.24.0 (RHEL 7.0)
>
> it gives the warning when I restart the syslog
> rsyslogd[25517]: warning: ~ action is deprecated, consider using the
> 'stop' statement instead
>
> Any help would be greatly appreciated
> ThanksHaary. On Wednesday, May 2, 2018, 5:24:14 PM EDT, David Lang <
> [email protected]> wrote:
>
> On Wed, 2 May 2018, Haary rock via rsyslog wrote:
>
> > #This will allow this server to log the remotely forwarded
> logs$FileCreateMode 0664$fileOwner netman$FileGroup cscworks$dirOwner
> netman#$template FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if
> $fromhost-ip startswith '192.x.' then -?FilenameTemplateOne#$ template
> FilenameTemplateOne,"/opt/ apps/syslog/%HOSTNAME%.log"if $fromhost-ip
> startswith 'x.x.x..' then -?FilenameTemplateOne#if $fromhost-ip ==
> '10.x.x.1' then /opt/apps/syslog/Firewall1- admin.logif $fromhost-ip ==
> '10.x.x.x' then /opt/apps/syslog/firewall- core.logif $fromhost-ip ==
> '10.x.x.x' then /opt/apps/syslog/switch1.logif $fromhost-ip == '10.x.x.x'
> then /opt/apps/syslog/switch2- admin.log
> > there are few more similar entries from all the Ip's I wanted to create
> the logs ..
> > the problem is if I use the &~ at the end of the line .. its doesn't
> stop sending the logs to /var/log/messages ..
> > but if I use the "stop" at the end of the file .. its stops sending
> messages to /var/log/messages completely .
> > &~ used to work on previous version of syslog ..but its not working on
> the rsyslogd 8.24.0 (RHEL 7.0)
>
> please retry your post, as you can see, it mangled the files you were
> posting
>
> ______________________________ _________________
> rsyslog mailing list
> http://lists.adiscon.net/ mailman/listinfo/rsyslog
> http://www.rsyslog.com/ professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
