On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > Hi Rainer, > Thanks for the explanation, that helps me understand how it's working. > > That works, the logs are going to the correct file, however they are > also being sent to /var/log/syslog? How can I make all the logs from my > host "192.168.1.1" go only to the "-?DynFwall" template file?
after you tell rsyslog to put the logs in that file, you then need to tell rsyslog to throw the log away. so you would do something like :fromhost-ip,isequal,"192.168.1.1" -?DynFwall & ~ which is logicly the same as :fromhost-ip,isequal,"192.168.1.1" -?DynFwall :fromhost-ip,isequal,"192.168.1.1" ~ David Lang > I would like to give feedback on the cookbook let me know how I can help. > > Thanks all, for your help with this. > Ralph > > Rainer Gerhards wrote: >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Ralph >>> Crongeyer >>> Sent: Monday, January 18, 2010 4:37 PM >>> To: Philip M. Gollucci >>> Cc: rsyslog-users >>> Subject: Re: [rsyslog] fromhost-ip >>> >>> Hi Phillip, >>> Thanks for the response. >>> The %HOSTNAME% part works fine here if I do this: >>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>> *.* -?DynFwall >>> >> >> Phillip suggested the rigth thing. >> >>> However if I try to filter by IP using the "fromhost-ip" like this: >>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>> >> >> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >> filters. There can only be one filter in front of an action. As *.* maeans >> all messages, I assume ou actually wanted to do this: >> >> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >> >> Which filters alls messages based on fromhost-ip. >> >> The config format is clumpsy. I am currently talking with some folks at >> Adiscon, and we will probably create a cookbook-type doc that provides >> samples for some common scenarios. I guess that would be useful. Any feedback >> on that effort would be welcome. >> >> Rainer >> >> >>> It fails to capture logs in the DynFwall template file. >>> >>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>> neither seem to work? >>> >>> I want to have it so that a specific host IP uses a specific template. >>> >>> It looks like the fromhost and the fromhost-ip arn't working >>> at all? Or >>> my config is wrong. >>> >>> Dose anyone on the list have "fromhost-ip" working? >>> >>> Thanks, >>> Ralph >>> >>> Philip M. Gollucci wrote: >>> >>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>> >>>> >>>>> # Firewall logs # >>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>> >>>>> But I just getting this error in /var/log/syslog: >>>>> >>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>> swVersion="4.4.2" x-pid="12540" >>>>> >>> x-info="http://www.rsyslog.com";] (re)start >>> >>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>> >>> without actions >>> >>>>> will be discarded >>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>> /etc/rsyslog.conf, line 48 >>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>> >>> interpret >>> >>>>> master config file '/etc/rsyslog.conf'. [try >>>>> >>> http://www.rsyslog.com/e/2124 ] >>> >>>>> I'm trying to log all logs from my IPCop host to >>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>> >>>>> >>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>> left and right. Finally I came up with the following with >>>> >>> works well >>> >>>> for me, you should be able to tweak it slightly for yourself. >>>> >>>> >>>> $template by_prog,"/var/log/rws/%programname%.log" >>>> >>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>> & :omrelp:cl.dca1.rws:2514 >>>> & ~ >>>> >>>> Just sub out %programname% for %HOSTNAME% >>>> >>>> >>>> >>>> >>>> >>> -- >>> Reminds me of my expedition into the wilds of Afghanistan. We >>> lost our >>> corkscrew and were compelled to live on food and water for >>> several days. - >>> WC Fields >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
