Yes, it is. And that wouldn't be a problem if property based filter would work fine.
I tried to filter messages with FROMHOST empty and use HOSTNAME instead. It worked for localhost generated messages, but didn't work for messages coming from other host on the network. Here's sample: $template messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-%$DAY%/messages" $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages" $template messages-per-host3,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%-%$DAY%/messages" $template messages-per-host4,"/var/log/hosts/%HOSTNAME%/messages" $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg: %msg%\n" # first we check if FROMHOST is empty . if it is empty .. we use HOSTNAME :FROMHOST, isequal, "" *.info;mail.none;authpriv.none;cron.none ?messages-per-host4;MyTemplateName *.info;mail.none;authpriv.none;cron.none ?messages-per-host3;MyTemplateName # we drop the messages with FROMHOST empty, and we log everything else based on FROMHOST . :FROMHOST, isequal, "" ~ *.info;mail.none;authpriv.none;cron.none ?messages-per-host1;MyTemplateName *.info;mail.none;authpriv.none;cron.none ?messages-per-host2;MyTemplateName Now you may ask why i didn't use HOSTNAME and only HOSTNAME after all? Well.. it looks like there are several messages that don't contain the HOSTNAME field and this breaks everything. I'm not sure these are all bugs. They may be some result of some human error of some kind (my error). Waiting for your confirmation of the above, Radu Gheorghiu Rainer Gerhards wrote: > Ah, ok, so the problem actually is that fromhost is empty... > > ----- Ursprüngliche Nachricht ----- > Von: "Radu Gheorghiu" <[EMAIL PROTECTED]> > An: "rsyslog-users" <[email protected]> > Gesendet: 22.03.08 13:21 > Betreff: Re: [rsyslog] Property-Based Filters > > Hi, > > Well as is said i needed a central log solution. > So i did this: > > $template > messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-%$DAY%/messages" > $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages" > > and for testing purposes (and debug): > > $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg: > %msg%\n" > > And here is the rest: > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host1;MyTemplateName > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host2;MyTemplateName > > i look in /var/log/hosts: > 2008 clog-he-de messages > clog-he-de is the localhost .. > and 2008 + messages is created because FROMHOST is empty. > proof: > > cat messages > TheHost:dd 6 TheMsg: [origin software="rsyslogd" swVersion="2.0.3" > x-pid="12215" x-info="http://www.rsyslog.com"][x-configInfo > udpReception="Yes" udpPort="514" tcpReception="No" tcpPort="0"] restart > > note the "dd" after "TheHost:" . i put it there to be sure there's > nothing between the two "d". > > Thanks, > Radu Gheorghiu > > Rainer Gerhards wrote: > >>> Hi, >>> I'm using stable. I'm trying to create some central log machine. >>> I made some tests .. and it seems that when i start rsyslog on the >>> central logging machine, it creates some messages regarding rsyslog >>> version, for those messages FROMHOST is empty. >>> >>> >> That *is* a bug. FROMHOST should not be empty. And now that I know it'll >> probably won't be empty in the future ;) >> >> >> >>> If you want i can >>> provide >>> you with full rsyslog.conf. Please test and reply. >>> >>> >> So you want to filter out the rsyslog startup and shutdown messages? >> Please provide me a few samples of what the messages look in your log >> files. >> >> Thanks, >> Rainer >> >> >> >>> Thanks, >>> Radu Gheorghiu >>> >>> Rainer Gerhards wrote: >>> >>> >>>> Hi Radu, >>>> >>>> I will look into the issue, smells like a bug. But FROMHOST can >>>> >>>> >> never >> >> >>> be >>> >>> >>>> empty... Is it just a sample? If so, which property you are looking >>>> >>>> >>> it >>> >>> >>>> (I wonder what may be empty, thus the question...). >>>> >>>> Rainer >>>> >>>> >>>> >>>> >>>>> -----Original Message----- >>>>> From: [EMAIL PROTECTED] [mailto:rsyslog- >>>>> [EMAIL PROTECTED] On Behalf Of Radu Gheorghiu >>>>> Sent: Saturday, March 22, 2008 6:47 AM >>>>> To: [email protected] >>>>> Subject: [rsyslog] Property-Based Filters >>>>> >>>>> Hi, >>>>> >>>>> I'm having trouble setting up some properties-based filters. I want >>>>> >>>>> >>> to >>> >>> >>>>> see if some property is equal to "" (empty). >>>>> I'm doing this: >>>>> :FROMHOST, isequal, "" >>>>> *.info;mail.none;authpriv.none;cron.none ?messages- >>>>> >>>>> >>> per- >>> >>> >>>>> host4 >>>>> >>>>> But it still matches everything it should not. Am i doing something >>>>> wrong? >>>>> >>>>> Thanks, >>>>> Radu >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>>> >>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> >> > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
