On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > Oh, > I tried that but I had it on the same line. So that has to be on a > separate line?
yes, one line is a filter plus an action haveing two filters on a line (like you initially tried) doesn't work, neither does having two actions on a line. David Lang > Thanks again for the explanation that really helps me understand how > it's working. > > Thanks again for all your help with this. > > Ralph > > [email protected] wrote: >> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >> >> >>> Hi Rainer, >>> Thanks for the explanation, that helps me understand how it's working. >>> >>> That works, the logs are going to the correct file, however they are >>> also being sent to /var/log/syslog? How can I make all the logs from my >>> host "192.168.1.1" go only to the "-?DynFwall" template file? >>> >> >> after you tell rsyslog to put the logs in that file, you then need to tell >> rsyslog to throw the log away. >> >> so you would do something like >> >> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >> & ~ >> >> which is logicly the same as >> >> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >> :fromhost-ip,isequal,"192.168.1.1" ~ >> >> David Lang >> >> >> >>> I would like to give feedback on the cookbook let me know how I can help. >>> >>> Thanks all, for your help with this. >>> Ralph >>> >>> Rainer Gerhards wrote: >>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] On Behalf Of Ralph >>>>> Crongeyer >>>>> Sent: Monday, January 18, 2010 4:37 PM >>>>> To: Philip M. Gollucci >>>>> Cc: rsyslog-users >>>>> Subject: Re: [rsyslog] fromhost-ip >>>>> >>>>> Hi Phillip, >>>>> Thanks for the response. >>>>> The %HOSTNAME% part works fine here if I do this: >>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>> *.* -?DynFwall >>>>> >>>>> >>>> Phillip suggested the rigth thing. >>>> >>>> >>>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>> >>>>> >>>> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >>>> filters. There can only be one filter in front of an action. As *.* maeans >>>> all messages, I assume ou actually wanted to do this: >>>> >>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>> >>>> Which filters alls messages based on fromhost-ip. >>>> >>>> The config format is clumpsy. I am currently talking with some folks at >>>> Adiscon, and we will probably create a cookbook-type doc that provides >>>> samples for some common scenarios. I guess that would be useful. Any >>>> feedback >>>> on that effort would be welcome. >>>> >>>> Rainer >>>> >>>> >>>> >>>>> It fails to capture logs in the DynFwall template file. >>>>> >>>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>>> neither seem to work? >>>>> >>>>> I want to have it so that a specific host IP uses a specific template. >>>>> >>>>> It looks like the fromhost and the fromhost-ip arn't working >>>>> at all? Or >>>>> my config is wrong. >>>>> >>>>> Dose anyone on the list have "fromhost-ip" working? >>>>> >>>>> Thanks, >>>>> Ralph >>>>> >>>>> Philip M. Gollucci wrote: >>>>> >>>>> >>>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>>> >>>>>> >>>>>> >>>>>>> # Firewall logs # >>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>>> >>>>>>> But I just getting this error in /var/log/syslog: >>>>>>> >>>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>>> swVersion="4.4.2" x-pid="12540" >>>>>>> >>>>>>> >>>>> x-info="http://www.rsyslog.com";] (re)start >>>>> >>>>> >>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>>> >>>>>>> >>>>> without actions >>>>> >>>>> >>>>>>> will be discarded >>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>> /etc/rsyslog.conf, line 48 >>>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>>> >>>>>>> >>>>> interpret >>>>> >>>>> >>>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>>> >>>>>>> >>>>> http://www.rsyslog.com/e/2124 ] >>>>> >>>>> >>>>>>> I'm trying to log all logs from my IPCop host to >>>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>>> >>>>>>> >>>>>>> >>>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>>> left and right. Finally I came up with the following with >>>>>> >>>>>> >>>>> works well >>>>> >>>>> >>>>>> for me, you should be able to tweak it slightly for yourself. >>>>>> >>>>>> >>>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>>> >>>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>>> & :omrelp:cl.dca1.rws:2514 >>>>>> & ~ >>>>>> >>>>>> Just sub out %programname% for %HOSTNAME% >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>>> lost our >>>>> corkscrew and were compelled to live on food and water for >>>>> several days. - >>>>> WC Fields >>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>> >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
