Ahh... That sample is most helpful. I think there is also a misunderstanding. I couldn't run a lab yet and will probably not before after easter, but (read inline below) ...
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:rsyslog- > [EMAIL PROTECTED] On Behalf Of Radu Gheorghiu > Sent: Saturday, March 22, 2008 1:55 PM > To: rsyslog-users > Subject: Re: [rsyslog] Property-Based Filters > > Yes, it is. > And that wouldn't be a problem if property based filter would work > fine. > > I tried to filter messages with FROMHOST empty and use HOSTNAME > instead. > It worked for localhost generated messages, but didn't work for > messages > coming from other host on the network. Here's sample: > > $template > messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%- > %$DAY%/messages" > $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages" > $template > messages-per-host3,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%- > %$DAY%/messages" > $template messages-per-host4,"/var/log/hosts/%HOSTNAME%/messages" > $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg: > %msg%\n" > > # first we check if FROMHOST is empty . if it is empty .. we use > HOSTNAME > :FROMHOST, isequal, "" Property based filters are just regular filters. So you need to specify what shall happen when the filter matches. In the above line, there is no action (sorry, looks like I overlooked that in the first message you send). So to discard these message, you'd need to do: :FROMHOST, isequal, "" ~ Filters (in v2) do NOT combine, except for the BSD-style filters. This is a feature of v3. > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host4;MyTemplateName > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host3;MyTemplateName > # we drop the messages with FROMHOST empty, and we log everything else > based on FROMHOST . > :FROMHOST, isequal, "" ~ That, of course, should work... > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host1;MyTemplateName > *.info;mail.none;authpriv.none;cron.none > ?messages-per-host2;MyTemplateName > > Now you may ask why i didn't use HOSTNAME and only HOSTNAME after all? > Well.. it looks like there are several messages that don't contain the > HOSTNAME field and this breaks everything. > > I'm not sure these are all bugs. At may very well be. I suspect that they all have the same root cause, and that is that some message properties are not correctly being set for internally-generated messages. So one trouble spot with multiple problems resulting from it. Could you do me a favor and run rsyslogd with -d -n options interactively and send me the resulting debug log? Rainer > They may be some result of some human > error of some kind (my error). > > Waiting for your confirmation of the above, > Radu Gheorghiu > > Rainer Gerhards wrote: > > Ah, ok, so the problem actually is that fromhost is empty... > > > > ----- Ursprüngliche Nachricht ----- > > Von: "Radu Gheorghiu" <[EMAIL PROTECTED]> > > An: "rsyslog-users" <[email protected]> > > Gesendet: 22.03.08 13:21 > > Betreff: Re: [rsyslog] Property-Based Filters > > > > Hi, > > > > Well as is said i needed a central log solution. > > So i did this: > > > > $template > > messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%- > %$DAY%/messages" > > $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages" > > > > and for testing purposes (and debug): > > > > $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% > TheMsg: > > %msg%\n" > > > > And here is the rest: > > *.info;mail.none;authpriv.none;cron.none > > ?messages-per-host1;MyTemplateName > > *.info;mail.none;authpriv.none;cron.none > > ?messages-per-host2;MyTemplateName > > > > i look in /var/log/hosts: > > 2008 clog-he-de messages > > clog-he-de is the localhost .. > > and 2008 + messages is created because FROMHOST is empty. > > proof: > > > > cat messages > > TheHost:dd 6 TheMsg: [origin software="rsyslogd" swVersion="2.0.3" > > x-pid="12215" x-info="http://www.rsyslog.com"][x-configInfo > > udpReception="Yes" udpPort="514" tcpReception="No" tcpPort="0"] > restart > > > > note the "dd" after "TheHost:" . i put it there to be sure there's > > nothing between the two "d". > > > > Thanks, > > Radu Gheorghiu > > > > Rainer Gerhards wrote: > > > >>> Hi, > >>> I'm using stable. I'm trying to create some central log machine. > >>> I made some tests .. and it seems that when i start rsyslog on the > >>> central logging machine, it creates some messages regarding rsyslog > >>> version, for those messages FROMHOST is empty. > >>> > >>> > >> That *is* a bug. FROMHOST should not be empty. And now that I know > it'll > >> probably won't be empty in the future ;) > >> > >> > >> > >>> If you want i can > >>> provide > >>> you with full rsyslog.conf. Please test and reply. > >>> > >>> > >> So you want to filter out the rsyslog startup and shutdown messages? > >> Please provide me a few samples of what the messages look in your > log > >> files. > >> > >> Thanks, > >> Rainer > >> > >> > >> > >>> Thanks, > >>> Radu Gheorghiu > >>> > >>> Rainer Gerhards wrote: > >>> > >>> > >>>> Hi Radu, > >>>> > >>>> I will look into the issue, smells like a bug. But FROMHOST can > >>>> > >>>> > >> never > >> > >> > >>> be > >>> > >>> > >>>> empty... Is it just a sample? If so, which property you are > looking > >>>> > >>>> > >>> it > >>> > >>> > >>>> (I wonder what may be empty, thus the question...). > >>>> > >>>> Rainer > >>>> > >>>> > >>>> > >>>> > >>>>> -----Original Message----- > >>>>> From: [EMAIL PROTECTED] [mailto:rsyslog- > >>>>> [EMAIL PROTECTED] On Behalf Of Radu Gheorghiu > >>>>> Sent: Saturday, March 22, 2008 6:47 AM > >>>>> To: [email protected] > >>>>> Subject: [rsyslog] Property-Based Filters > >>>>> > >>>>> Hi, > >>>>> > >>>>> I'm having trouble setting up some properties-based filters. I > want > >>>>> > >>>>> > >>> to > >>> > >>> > >>>>> see if some property is equal to "" (empty). > >>>>> I'm doing this: > >>>>> :FROMHOST, isequal, "" > >>>>> *.info;mail.none;authpriv.none;cron.none > ?messages- > >>>>> > >>>>> > >>> per- > >>> > >>> > >>>>> host4 > >>>>> > >>>>> But it still matches everything it should not. Am i doing > something > >>>>> wrong? > >>>>> > >>>>> Thanks, > >>>>> Radu > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> > >>>> > >>>> > >>>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> > >>> > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> > >> > >> > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
