Thanks David, Ok so now I'm trying this: $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" if $fromhost-ip == '192.168.1.1' and $syslogfacility-text == 'mail' then ?DynMail
After a restart of rsyslog there are no errors in /var/log/syslog however no logs are being collected? Thanks for your help with this David. Ralph [email protected] wrote: > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > > >> Ok one more question. >> I have: >> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >> mail.* -?DynMail >> >> Which logs all mail to the %HOSTNAME%.mail.log. >> >> My guess would be: >> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >> mail.* :fromhost-ip,isequal,"192.168.1.1" -?DynMail >> >> But as Rainer explained these are both filters which won't work. >> >> So how do I use "fromhost-ip" to send only "mail.*" logs from a >> specified host IP to the "DynMail" template? >> > > you need to use the more powerful/complex > > if ((condition) and (condition)) action > > line format > > David Lang > > >> Thanks, >> Ralph >> >> Ralph Crongeyer wrote: >> >>> Oh, >>> I tried that but I had it on the same line. So that has to be on a >>> separate line? >>> >>> Thanks again for the explanation that really helps me understand how >>> it's working. >>> >>> Thanks again for all your help with this. >>> >>> Ralph >>> >>> [email protected] wrote: >>> >>> >>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>>> >>>> >>>> >>>> >>>>> Hi Rainer, >>>>> Thanks for the explanation, that helps me understand how it's working. >>>>> >>>>> That works, the logs are going to the correct file, however they are >>>>> also being sent to /var/log/syslog? How can I make all the logs from my >>>>> host "192.168.1.1" go only to the "-?DynFwall" template file? >>>>> >>>>> >>>>> >>>> after you tell rsyslog to put the logs in that file, you then need to tell >>>> rsyslog to throw the log away. >>>> >>>> so you would do something like >>>> >>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>> & ~ >>>> >>>> which is logicly the same as >>>> >>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>> :fromhost-ip,isequal,"192.168.1.1" ~ >>>> >>>> David Lang >>>> >>>> >>>> >>>> >>>> >>>>> I would like to give feedback on the cookbook let me know how I can help. >>>>> >>>>> Thanks all, for your help with this. >>>>> Ralph >>>>> >>>>> Rainer Gerhards wrote: >>>>> >>>>> >>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of Ralph >>>>>>> Crongeyer >>>>>>> Sent: Monday, January 18, 2010 4:37 PM >>>>>>> To: Philip M. Gollucci >>>>>>> Cc: rsyslog-users >>>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>>> >>>>>>> Hi Phillip, >>>>>>> Thanks for the response. >>>>>>> The %HOSTNAME% part works fine here if I do this: >>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>> *.* -?DynFwall >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Phillip suggested the rigth thing. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>>>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> The issue is that the config is wrong. "*.*" and ":fromhost..." are both >>>>>> filters. There can only be one filter in front of an action. As *.* >>>>>> maeans >>>>>> all messages, I assume ou actually wanted to do this: >>>>>> >>>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>> >>>>>> Which filters alls messages based on fromhost-ip. >>>>>> >>>>>> The config format is clumpsy. I am currently talking with some folks at >>>>>> Adiscon, and we will probably create a cookbook-type doc that provides >>>>>> samples for some common scenarios. I guess that would be useful. Any >>>>>> feedback >>>>>> on that effort would be welcome. >>>>>> >>>>>> Rainer >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> It fails to capture logs in the DynFwall template file. >>>>>>> >>>>>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>>>>> neither seem to work? >>>>>>> >>>>>>> I want to have it so that a specific host IP uses a specific template. >>>>>>> >>>>>>> It looks like the fromhost and the fromhost-ip arn't working >>>>>>> at all? Or >>>>>>> my config is wrong. >>>>>>> >>>>>>> Dose anyone on the list have "fromhost-ip" working? >>>>>>> >>>>>>> Thanks, >>>>>>> Ralph >>>>>>> >>>>>>> Philip M. Gollucci wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> # Firewall logs # >>>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>>>>> >>>>>>>>> But I just getting this error in /var/log/syslog: >>>>>>>>> >>>>>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>>>>> swVersion="4.4.2" x-pid="12540" >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> x-info="http://www.rsyslog.com";] (re)start >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> without actions >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> will be discarded >>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>> /etc/rsyslog.conf, line 48 >>>>>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> interpret >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> http://www.rsyslog.com/e/2124 ] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> I'm trying to log all logs from my IPCop host to >>>>>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>>>>> left and right. Finally I came up with the following with >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> works well >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> for me, you should be able to tweak it slightly for yourself. >>>>>>>> >>>>>>>> >>>>>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>>>>> >>>>>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>>>>> & :omrelp:cl.dca1.rws:2514 >>>>>>>> & ~ >>>>>>>> >>>>>>>> Just sub out %programname% for %HOSTNAME% >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>>>>> lost our >>>>>>> corkscrew and were compelled to live on food and water for >>>>>>> several days. - >>>>>>> WC Fields >>>>>>> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com >>>> >>>> >>>> >>> >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Reminds me of my expedition into the wilds of Afghanistan. We lost our corkscrew and were compelled to live on food and water for several days. - WC Fields _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
