Hi Rainer, Thanks for the explanation, that helps me understand how it's working.
That works, the logs are going to the correct file, however they are also being sent to /var/log/syslog? How can I make all the logs from my host "192.168.1.1" go only to the "-?DynFwall" template file? I would like to give feedback on the cookbook let me know how I can help. Thanks all, for your help with this. Ralph Rainer Gerhards wrote: >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Ralph >> Crongeyer >> Sent: Monday, January 18, 2010 4:37 PM >> To: Philip M. Gollucci >> Cc: rsyslog-users >> Subject: Re: [rsyslog] fromhost-ip >> >> Hi Phillip, >> Thanks for the response. >> The %HOSTNAME% part works fine here if I do this: >> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >> *.* -?DynFwall >> > > Phillip suggested the rigth thing. > >> However if I try to filter by IP using the "fromhost-ip" like this: >> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >> > > The issue is that the config is wrong. "*.*" and ":fromhost..." are both > filters. There can only be one filter in front of an action. As *.* maeans > all messages, I assume ou actually wanted to do this: > > :fromhost-ip,isequal,"192.168.1.1" -?DynFwall > > Which filters alls messages based on fromhost-ip. > > The config format is clumpsy. I am currently talking with some folks at > Adiscon, and we will probably create a cookbook-type doc that provides > samples for some common scenarios. I guess that would be useful. Any feedback > on that effort would be welcome. > > Rainer > > >> It fails to capture logs in the DynFwall template file. >> >> I've tried to do this with the "fromhost" and the "fromhost-ip" and >> neither seem to work? >> >> I want to have it so that a specific host IP uses a specific template. >> >> It looks like the fromhost and the fromhost-ip arn't working >> at all? Or >> my config is wrong. >> >> Dose anyone on the list have "fromhost-ip" working? >> >> Thanks, >> Ralph >> >> Philip M. Gollucci wrote: >> >>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>> >>> >>>> # Firewall logs # >>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>> >>>> But I just getting this error in /var/log/syslog: >>>> >>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>> swVersion="4.4.2" x-pid="12540" >>>> >> x-info="http://www.rsyslog.com";] (re)start >> >>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>> >> without actions >> >>>> will be discarded >>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>> /etc/rsyslog.conf, line 48 >>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>> >> interpret >> >>>> master config file '/etc/rsyslog.conf'. [try >>>> >> http://www.rsyslog.com/e/2124 ] >> >>>> I'm trying to log all logs from my IPCop host to >>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>> >>>> >>> I tried for 1.5 days to figure this out cutting and pasting examples >>> left and right. Finally I came up with the following with >>> >> works well >> >>> for me, you should be able to tweak it slightly for yourself. >>> >>> >>> $template by_prog,"/var/log/rws/%programname%.log" >>> >>> :programname, regex, "^pxy.*rc\." ?by_prog >>> & :omrelp:cl.dca1.rws:2514 >>> & ~ >>> >>> Just sub out %programname% for %HOSTNAME% >>> >>> >>> >>> >>> >> -- >> Reminds me of my expedition into the wilds of Afghanistan. We >> lost our >> corkscrew and were compelled to live on food and water for >> several days. - >> WC Fields >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Reminds me of my expedition into the wilds of Afghanistan. We lost our corkscrew and were compelled to live on food and water for several days. - WC Fields _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
