When I switched to double quotes I get the error in /var/log/syslog and no logs are collected? I switched back to single quots and restart and no error but still no logs?
What else may I be doing wrong? Thanks, Ralph [email protected] wrote: > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > > >> Thanks David, >> Ok so now I'm trying this: >> >> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >> if $fromhost-ip == '192.168.1.1' and $syslogfacility-text == 'mail' then >> ?DynMail >> > > you can't use single quotes, you must use double quotes (apparently the > config language uses single quotes for something else, I don't know what) > > I've tripped over this several times now. > > David Lang > > >> After a restart of rsyslog there are no errors in /var/log/syslog >> however no logs are being collected? >> >> Thanks for your help with this David. >> >> Ralph >> >> [email protected] wrote: >> >>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>> >>> >>> >>>> Ok one more question. >>>> I have: >>>> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >>>> mail.* -?DynMail >>>> >>>> Which logs all mail to the %HOSTNAME%.mail.log. >>>> >>>> My guess would be: >>>> $template DynMail,"/var/log/server-logs/mail/%HOSTNAME%.mail.log" >>>> mail.* :fromhost-ip,isequal,"192.168.1.1" -?DynMail >>>> >>>> But as Rainer explained these are both filters which won't work. >>>> >>>> So how do I use "fromhost-ip" to send only "mail.*" logs from a >>>> specified host IP to the "DynMail" template? >>>> >>>> >>> you need to use the more powerful/complex >>> >>> if ((condition) and (condition)) action >>> >>> line format >>> >>> David Lang >>> >>> >>> >>>> Thanks, >>>> Ralph >>>> >>>> Ralph Crongeyer wrote: >>>> >>>> >>>>> Oh, >>>>> I tried that but I had it on the same line. So that has to be on a >>>>> separate line? >>>>> >>>>> Thanks again for the explanation that really helps me understand how >>>>> it's working. >>>>> >>>>> Thanks again for all your help with this. >>>>> >>>>> Ralph >>>>> >>>>> [email protected] wrote: >>>>> >>>>> >>>>> >>>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hi Rainer, >>>>>>> Thanks for the explanation, that helps me understand how it's working. >>>>>>> >>>>>>> That works, the logs are going to the correct file, however they are >>>>>>> also being sent to /var/log/syslog? How can I make all the logs from my >>>>>>> host "192.168.1.1" go only to the "-?DynFwall" template file? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> after you tell rsyslog to put the logs in that file, you then need to >>>>>> tell >>>>>> rsyslog to throw the log away. >>>>>> >>>>>> so you would do something like >>>>>> >>>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>> & ~ >>>>>> >>>>>> which is logicly the same as >>>>>> >>>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>> :fromhost-ip,isequal,"192.168.1.1" ~ >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I would like to give feedback on the cookbook let me know how I can >>>>>>> help. >>>>>>> >>>>>>> Thanks all, for your help with this. >>>>>>> Ralph >>>>>>> >>>>>>> Rainer Gerhards wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: [email protected] >>>>>>>>> [mailto:[email protected]] On Behalf Of Ralph >>>>>>>>> Crongeyer >>>>>>>>> Sent: Monday, January 18, 2010 4:37 PM >>>>>>>>> To: Philip M. Gollucci >>>>>>>>> Cc: rsyslog-users >>>>>>>>> Subject: Re: [rsyslog] fromhost-ip >>>>>>>>> >>>>>>>>> Hi Phillip, >>>>>>>>> Thanks for the response. >>>>>>>>> The %HOSTNAME% part works fine here if I do this: >>>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>>> *.* -?DynFwall >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Phillip suggested the rigth thing. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> However if I try to filter by IP using the "fromhost-ip" like this: >>>>>>>>> *.* :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> The issue is that the config is wrong. "*.*" and ":fromhost..." are >>>>>>>> both >>>>>>>> filters. There can only be one filter in front of an action. As *.* >>>>>>>> maeans >>>>>>>> all messages, I assume ou actually wanted to do this: >>>>>>>> >>>>>>>> :fromhost-ip,isequal,"192.168.1.1" -?DynFwall >>>>>>>> >>>>>>>> Which filters alls messages based on fromhost-ip. >>>>>>>> >>>>>>>> The config format is clumpsy. I am currently talking with some folks at >>>>>>>> Adiscon, and we will probably create a cookbook-type doc that provides >>>>>>>> samples for some common scenarios. I guess that would be useful. Any >>>>>>>> feedback >>>>>>>> on that effort would be welcome. >>>>>>>> >>>>>>>> Rainer >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> It fails to capture logs in the DynFwall template file. >>>>>>>>> >>>>>>>>> I've tried to do this with the "fromhost" and the "fromhost-ip" and >>>>>>>>> neither seem to work? >>>>>>>>> >>>>>>>>> I want to have it so that a specific host IP uses a specific template. >>>>>>>>> >>>>>>>>> It looks like the fromhost and the fromhost-ip arn't working >>>>>>>>> at all? Or >>>>>>>>> my config is wrong. >>>>>>>>> >>>>>>>>> Dose anyone on the list have "fromhost-ip" working? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Ralph >>>>>>>>> >>>>>>>>> Philip M. Gollucci wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On 1/17/2010 5:50 PM, Ralph Crongeyer wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> # Firewall logs # >>>>>>>>>>> $template DynFwall,"/var/log/server-logs/firewall/%HOSTNAME%.log" >>>>>>>>>>> *.* :fromhost-ip, isequal, "192.168.1.1" -?DynFwall >>>>>>>>>>> >>>>>>>>>>> But I just getting this error in /var/log/syslog: >>>>>>>>>>> >>>>>>>>>>> Jan 17 16:49:47 log rsyslogd: [origin software="rsyslogd" >>>>>>>>>>> swVersion="4.4.2" x-pid="12540" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> x-info="http://www.rsyslog.com";] (re)start >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>>>> /etc/rsyslog.d/remote-logs.conf, line 10 >>>>>>>>>>> Jan 17 16:49:47 log rsyslogd: warning: selector line >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> without actions >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> will be discarded >>>>>>>>>>> Jan 17 16:49:47 log rsyslogd: the last error occured in >>>>>>>>>>> /etc/rsyslog.conf, line 48 >>>>>>>>>>> Jan 17 16:49:47 log rsyslogd-2124: CONFIG ERROR: could not >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> interpret >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> master config file '/etc/rsyslog.conf'. [try >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> http://www.rsyslog.com/e/2124 ] >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> I'm trying to log all logs from my IPCop host to >>>>>>>>>>> "/var/log/server-logs/firewall/%HOSTNAME%.log" . >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I tried for 1.5 days to figure this out cutting and pasting examples >>>>>>>>>> left and right. Finally I came up with the following with >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> works well >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> for me, you should be able to tweak it slightly for yourself. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> $template by_prog,"/var/log/rws/%programname%.log" >>>>>>>>>> >>>>>>>>>> :programname, regex, "^pxy.*rc\." ?by_prog >>>>>>>>>> & :omrelp:cl.dca1.rws:2514 >>>>>>>>>> & ~ >>>>>>>>>> >>>>>>>>>> Just sub out %programname% for %HOSTNAME% >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Reminds me of my expedition into the wilds of Afghanistan. We >>>>>>>>> lost our >>>>>>>>> corkscrew and were compelled to live on food and water for >>>>>>>>> several days. - >>>>>>>>> WC Fields >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>> http://www.rsyslog.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >>> >>> >> >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > -- Reminds me of my expedition into the wilds of Afghanistan. We lost our corkscrew and were compelled to live on food and water for several days. - WC Fields _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
