the first thing I would suggest is to stop mixing sytax types (I may have been
incorrect here in piecing the config back together from the mangling in the
mail)
if $fromhost contains 'a8-ansi-d00' then {
authpriv.* -?SECU
*.info;mail.none;authpriv.none;cron.none -?MESG
& stop
}
note that this stop only applies if it matches the ?MESG destinef iles, not the
SECU destined files
also note that - on the output is meaningless, all output through rsyslog is
async
if $fromhost-ip != '127.0.0.1' then {
:hostname, !contains, "a8-ansi-d00" ~
*.* -?CATC
& stop
}
here you use an if, then you use an old style condition, then you use ~ and
elsewhere you use stop, both the CATC and the stop lines are unconditional (*.*
matches everything, and & in the line after that matches *.*. you can leave out
the */* and just have a line that read ?CATC and it will be the same as your
current CATC line)
re-write everything using if...then syntax and I think it will be more obvious
what is going wrong
David Lang
On Thu, 28 Sep 2023, warron.french via rsyslog wrote:
I hope this is the correct list to send questions to, I have not needed
support on rsyslog in 7 years.
INFO (as the basis for my question)
I have six (6) RHEL7 systems on a network that I need to setup logging
forwarding from five(5) *clients* over to the last (1) *server*.
I have the following ROLE {server, client} and Hostnames to list:
SERVER: 'a8-ytb-dev001'
CLIENT: 'a8-ansi-w00' (not a type, compared the following two)
CLIENT: 'a8-ansi-w001'
CLIENT: 'a8-ansi-w002'
CLIENT: 'a8-ansi-d001'
CLIENT: 'a8-ansi-d002'
On all of the clients, in the /etc/rsyslog.configuration file I have added
the syntax at the bottom of the file:
**.* @@192.168.2.225:514*
On the server, in the /etc/rsyslog.conf configuration file I do have in
place the following:
*module(load="imtcp")*
*input(type="imtcp" port="514")*
*$template CATC,"/var/log/REMOTE/%HOSTNAME%.log"*
*$template SECU,"/var/log/REMOTE/%HOSTNAME%/secure"*
*$template MESG,"/var/log/REMOTE/%HOSTNAME%/messages"*
I also have the following below these lines...
*if $fromhost contains 'a8-ansi-d00' then {*
* authpriv.*
-?SECU*
* *.info;mail.none;authpriv.none;cron.none -?MESG*
* & stop*
*}*
*if $fromhost-ip != '127.0.0.1' then {*
* :hostname, !contains, "a8-ansi-d00" ~*
* *.*
-?CATC*
* & stop*
*}*
*I have two goals:*
1. Get the hosts with hostnames 'a8-ansi-d001' and 'a8-ansi-d002' to
log both *authpriv.** to "secure", and
**.info;mail.none;authpriv.none;cron.none* to "messages."
2. Get all other hosts regardless of hostname string pattern to log i*nto
a single file* based on the CATC template (into
/var/log/REMOTE/%HOSTNAME%.log).
*Issues I am experiencing:*
1. I have been able to accomplish goal#1 but with a minor issue. The
issue is that after after every reboot of either (or both) of the
'a8-ansi-d00*' hostname pattern I end up with a file in
/var/log/REMOTE/a8-ansi-d001/log (for a specific example) and also into
/var/log/REMOTE/%HOSTNAME%/secure (and messages). So I am getting data
logged into both places which is not wanted.
2. Furthermore, none of the other hosts have a
/var/log/REMOTE/%HOSTNAME%.log generated after their namesakes, or at all.
This is not accomplishing my goal#2.
Can I get some help, please?
--------------------------
Warron French
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
