Oh, I tried that but I had it on the same line. So that has to be on a separate line?
Thanks again for the explanation that really helps me understand how it's working. Thanks again for all your help with this. Ralph [email protected] wrote: > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > > >> Hi Rainer, >> Thanks for the explanation, that helps me understand how it's working. >> >> That works, the logs are going to the correct file, however they are >> also being sent to /var/log/syslog? How can I make all the logs from my >> host "192.168.1.1" go only to the "-?DynFwall" template file? >> > > after you tell rsyslog to put the logs in that file, you then need to tell > rsyslog to throw the log away. > > so you would do something like > > :fromhost-ip,isequal,"192.168.1.1" -?DynFwall > & ~ > > which is logicly the same as > > :fromhost-ip,isequal,"192.168.1.1" -?DynFwall > :fromhost-ip,isequal,"192.168.1.1" ~ > > David Lang > > > >> I would like to give feedback on the cookbook let me know how I can help. >> >> Thanks all, for your help with this. >> Ralph >> >> Rainer Gerhards wrote: >> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Ralph >>>> Crongeyer >>>> Sent: Monday, January 18, 2010 4:37 PM >>>> To: Philip M. Gollucci >>>> Cc: rsyslog-users >>>> Subject: Re: [rsyslog] fromhost-ip >>>> >>>> Hi Phillip, >>>> Thanks for the response. >>>> The %HOSTNAME% part works fine here if I do this: >>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>> *.* -?DynFwall >>>> >>>> >>> Phillip suggested the rigth thing. >>> >>> >>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>> >>>> >>> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >>> filters. There can only be one filter in front of an action. As *.* maeans >>> all messages, I assume ou actually wanted to do this: >>> >>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>> >>> Which filters alls messages based on fromhost-ip. >>> >>> The config format is clumpsy. I am currently talking with some folks at >>> Adiscon, and we will probably create a cookbook-type doc that provides >>> samples for some common scenarios. I guess that would be useful. Any >>> feedback >>> on that effort would be welcome. >>> >>> Rainer >>> >>> >>> >>>> It fails to capture logs in the DynFwall template file. >>>> >>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>> neither seem to work? >>>> >>>> I want to have it so that a specific host IP uses a specific template. >>>> >>>> It looks like the fromhost and the fromhost-ip arn't working >>>> at all? Or >>>> my config is wrong. >>>> >>>> Dose anyone on the list have "fromhost-ip" working? >>>> >>>> Thanks, >>>> Ralph >>>> >>>> Philip M. Gollucci wrote: >>>> >>>> >>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>> >>>>> >>>>> >>>>>> # Firewall logs # >>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>> >>>>>> But I just getting this error in /var/log/syslog: >>>>>> >>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>> swVersion="4.4.2" x-pid="12540" >>>>>> >>>>>> >>>> x-info="http://www.rsyslog.com";] (re)start >>>> >>>> >>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>> >>>>>> >>>> without actions >>>> >>>> >>>>>> will be discarded >>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>> /etc/rsyslog.conf, line 48 >>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>> >>>>>> >>>> interpret >>>> >>>> >>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>> >>>>>> >>>> http://www.rsyslog.com/e/2124 ] >>>> >>>> >>>>>> I'm trying to log all logs from my IPCop host to >>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>> >>>>>> >>>>>> >>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>> left and right. Finally I came up with the following with >>>>> >>>>> >>>> works well >>>> >>>> >>>>> for me, you should be able to tweak it slightly for yourself. >>>>> >>>>> >>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>> >>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>> & :omrelp:cl.dca1.rws:2514 >>>>> & ~ >>>>> >>>>> Just sub out %programname% for %HOSTNAME% >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> -- >>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>> lost our >>>> corkscrew and were compelled to live on food and water for >>>> several days. - >>>> WC Fields >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Reminds me of my expedition into the wilds of Afghanistan. We lost our corkscrew and were compelled to live on food and water for several days. - WC Fields _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
