On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > Ok one more question. > I have: > $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" > mail.* -?DynMail > > Which logs all mail to the %HOSTNAME%.mail.log. > > My guess would be: > $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" > mail.* :fromhost-ip,isequal,"192.168.1.1" -?DynMail > > But as Rainer explained these are both filters which won't work. > > So how do I use "fromhost-ip" to send only "mail.*" logs from a > specified host IP to the "DynMail" template?
you need to use the more powerful/complex if ((condition) and (condition)) action line format David Lang > Thanks, > Ralph > > Ralph Crongeyer wrote: >> Oh, >> I tried that but I had it on the same line. So that has to be on a >> separate line? >> >> Thanks again for the explanation that really helps me understand how >> it's working. >> >> Thanks again for all your help with this. >> >> Ralph >> >> [email protected] wrote: >> >>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>> >>> >>> >>>> Hi Rainer, >>>> Thanks for the explanation, that helps me understand how it's working. >>>> >>>> That works, the logs are going to the correct file, however they are >>>> also being sent to /var/log/syslog? How can I make all the logs from my >>>> host "192.168.1.1" go only to the "-?DynFwall" template file? >>>> >>>> >>> after you tell rsyslog to put the logs in that file, you then need to tell >>> rsyslog to throw the log away. >>> >>> so you would do something like >>> >>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>> & ~ >>> >>> which is logicly the same as >>> >>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>> :fromhost-ip,isequal,"192.168.1.1" ~ >>> >>> David Lang >>> >>> >>> >>> >>>> I would like to give feedback on the cookbook let me know how I can help. >>>> >>>> Thanks all, for your help with this. >>>> Ralph >>>> >>>> Rainer Gerhards wrote: >>>> >>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of Ralph >>>>>> Crongeyer >>>>>> Sent: Monday, January 18, 2010 4:37 PM >>>>>> To: Philip M. Gollucci >>>>>> Cc: rsyslog-users >>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>> >>>>>> Hi Phillip, >>>>>> Thanks for the response. >>>>>> The %HOSTNAME% part works fine here if I do this: >>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>> *.* -?DynFwall >>>>>> >>>>>> >>>>>> >>>>> Phillip suggested the rigth thing. >>>>> >>>>> >>>>> >>>>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>> >>>>>> >>>>>> >>>>> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >>>>> filters. There can only be one filter in front of an action. As *.* maeans >>>>> all messages, I assume ou actually wanted to do this: >>>>> >>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>> >>>>> Which filters alls messages based on fromhost-ip. >>>>> >>>>> The config format is clumpsy. I am currently talking with some folks at >>>>> Adiscon, and we will probably create a cookbook-type doc that provides >>>>> samples for some common scenarios. I guess that would be useful. Any >>>>> feedback >>>>> on that effort would be welcome. >>>>> >>>>> Rainer >>>>> >>>>> >>>>> >>>>> >>>>>> It fails to capture logs in the DynFwall template file. >>>>>> >>>>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>>>> neither seem to work? >>>>>> >>>>>> I want to have it so that a specific host IP uses a specific template. >>>>>> >>>>>> It looks like the fromhost and the fromhost-ip arn't working >>>>>> at all? Or >>>>>> my config is wrong. >>>>>> >>>>>> Dose anyone on the list have "fromhost-ip" working? >>>>>> >>>>>> Thanks, >>>>>> Ralph >>>>>> >>>>>> Philip M. Gollucci wrote: >>>>>> >>>>>> >>>>>> >>>>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> # Firewall logs # >>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>>>> >>>>>>>> But I just getting this error in /var/log/syslog: >>>>>>>> >>>>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>>>> swVersion="4.4.2" x-pid="12540" >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> x-info="http://www.rsyslog.com";] (re)start >>>>>> >>>>>> >>>>>> >>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> without actions >>>>>> >>>>>> >>>>>> >>>>>>>> will be discarded >>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>> /etc/rsyslog.conf, line 48 >>>>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> interpret >>>>>> >>>>>> >>>>>> >>>>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> http://www.rsyslog.com/e/2124 ] >>>>>> >>>>>> >>>>>> >>>>>>>> I'm trying to log all logs from my IPCop host to >>>>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>>>> left and right. Finally I came up with the following with >>>>>>> >>>>>>> >>>>>>> >>>>>> works well >>>>>> >>>>>> >>>>>> >>>>>>> for me, you should be able to tweak it slightly for yourself. >>>>>>> >>>>>>> >>>>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>>>> >>>>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>>>> & :omrelp:cl.dca1.rws:2514 >>>>>>> & ~ >>>>>>> >>>>>>> Just sub out %programname% for %HOSTNAME% >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>>>> lost our >>>>>> corkscrew and were compelled to live on food and water for >>>>>> several days. - >>>>>> WC Fields >>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com >>>>> >>>>> >>>>> >>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> >> >> > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
