RELP did not provide fromhost-ip until recently. You need to use the most recent development version of the git master branch (to be released soon) TOGETHER with the most recent version of librelp to get that information.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Ralph Crongeyer > Sent: Monday, January 18, 2010 11:12 PM > To: rsyslog-users > Subject: Re: [rsyslog] fromhost-ip > > No, I'm starting with -c4. > > I'll give it a try but ultimately I need to filter in IP. > > I'll try it when I get back from dinner...... > > Thanks again for your help with this guys. > > [email protected] wrote: > > Ok, this says that fromhost-ip is not being set in your case. > > > > I think I ran into a similar problem before, are you starting with -x > to > > disable name lookups? > > > > try changing from fromhost-ip to fromhost > > > > David Lang > > > > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > > > > > >> This ma be of help: > >> > >> 0928.085091536:imrelp.c: Message has legacy syslog format. > >> 0928.085124502:imrelp.c: main queue: entry added, size now 1 entries > >> 0928.085150205:imrelp.c: wtpAdviseMaxWorkers signals busy > >> 0928.085355268:main queue:Reg/w0: main queue: entry deleted, state > 0, > >> size now 0 entries > >> 0928.085416731:main queue:Reg/w0: result of expression evaluation: 0 > >> 0928.085443830:main queue:Reg/w0: Filter: check for property > >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > >> 0928.085582122:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > >> waiting for work. > >> 0928.085693593:imrelp.c: main queue: EnqueueMsg advised worker start > >> 0928.085812887:imrelp.c: tcpSend returns 17 > >> 0928.085841383:imrelp.c: in destructor: sendbuf 0x9bc9228 > >> 0928.086029125:imrelp.c: relp engine is dispatching frame with > command > >> 'syslog' > >> 0928.086053430:imrelp.c: in 'syslog' command handler > >> 0928.086100366:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg > >> 2010-01-18T16:41:14.104596-05:00 spoonie postfix/smtpd[7528]: lost > >> connection after RCPT from 81-64-60- > 151.rev.numericable.fr[81.64.60.151] > >> 0928.086124392:imrelp.c: Message has legacy syslog format. > >> 0928.086157638:imrelp.c: main queue: entry added, size now 1 entries > >> 0928.086202059:imrelp.c: wtpAdviseMaxWorkers signals busy > >> 0928.086419414:main queue:Reg/w0: main queue: entry deleted, state > 0, > >> size now 0 entries > >> 0928.086486185:main queue:Reg/w0: result of expression evaluation: 0 > >> 0928.086514402:main queue:Reg/w0: Filter: check for property > >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > >> 0928.086771149:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > >> waiting for work. > >> 0928.086895193:imrelp.c: main queue: EnqueueMsg advised worker start > >> 0928.087044659:imrelp.c: tcpSend returns 17 > >> 0928.087074832:imrelp.c: in destructor: sendbuf 0x9bc9e10 > >> 0928.087110313:imrelp.c: relp engine is dispatching frame with > command > >> 'syslog' > >> 0928.087131545:imrelp.c: in 'syslog' command handler > >> 0928.087176805:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg > >> 2010-01-18T16:41:14.104922-05:00 spoonie postfix/smtpd[7528]: > disconnect > >> from 81-64-60-151.rev.numericable.fr[81.64.60.151] > >> 0928.087200552:imrelp.c: Message has legacy syslog format. > >> 0928.087232959:imrelp.c: main queue: entry added, size now 1 entries > >> 0928.087286600:imrelp.c: wtpAdviseMaxWorkers signals busy > >> 0928.087482163:main queue:Reg/w0: main queue: entry deleted, state > 0, > >> size now 0 entries > >> 0928.087581622:main queue:Reg/w0: result of expression evaluation: 0 > >> 0928.087609280:main queue:Reg/w0: Filter: check for property > >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE > >> 0928.087783052:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, > >> waiting for work. > >> 0928.087897597:imrelp.c: main queue: EnqueueMsg advised worker start > >> 0928.088020802:imrelp.c: tcpSend returns 17 > >> 0928.088049857:imrelp.c: in destructor: sendbuf 0x9bc9d58 > >> 0928.088078912:imrelp.c: relpSendqIsEmpty() returns 1 > >> 0928.088099586:imrelp.c: ***<librelp> calling select, active file > >> descriptors (max 23): 6 7 23 > >> 0988.087889021:main queue:Reg/w0: main queue:Reg/w0: inactivity > timeout, > >> worker terminating... > >> 0988.088192704:main queue:Reg/w0: main queue:Reg/w0: receiving > command 1 > >> 0988.088222318:main queue:Reg/w0: main queue:Reg/w0: worker > terminating > >> 0988.088247741:main queue:Reg/w0: main queue:Reg: Worker thread > 9bb5a08, > >> terminated, num workers now 0 > >> 0988.088339377:main queue:Reg/w0: destructor for debug call stack > >> 0x9bd1260 called > >> > >> > >> Ralph Crongeyer wrote: > >> > >>> Here's the debug output when configured with single quotes. > >>> I'm sending this off the list to Rainer. > >>> David, let me know if you want this also. > >>> > >>> Thanks guys, > >>> Ralph > >>> > >>> Rainer Gerhards wrote: > >>> > >>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of > [email protected] > >>>>> Sent: Monday, January 18, 2010 10:02 PM > >>>>> To: rsyslog-users > >>>>> Subject: Re: [rsyslog] fromhost-ip > >>>>> > >>>>> On Mon, 18 Jan 2010, Rainer Gerhards wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> David, > >>>>>> > >>>>>> Single quotes are right in the scripting engine (double > >>>>>> > >>>>>> > >>>>>> > >>>>> quotes are reserved > >>>>> > >>>>> > >>>>> > >>>>>> for future use - they shall provide the capability to > >>>>>> > >>>>>> > >>>>>> > >>>>> extend macros, e.g. > >>>>> > >>>>> > >>>>> > >>>>>> $A="BC" => '$A' is the string "$A", while "$A" is supposed > >>>>>> > >>>>>> > >>>>>> > >>>>> to be the string > >>>>> > >>>>> > >>>>> > >>>>>> "BC"). > >>>>>> > >>>>>> > >>>>>> > >>>>> that is the normal behavior of single vs double quotes, but in > such > >>>>> situations it's normal for 'ABC' and "ABC" to be equivalent, > >>>>> it's only > >>>>> when you have variables involved that there would be a > difference. > >>>>> > >>>>> > >>>>> > >>>> Jup, that's right - but double quotes are not yet implemented ;) > >>>> > >>>> Rainer > >>>> > >>>> > >>>> > >>>>> David Lang > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> I don't have an idea what may be wrong, but running rsyslog > >>>>>> > >>>>>> > >>>>>> > >>>>> in debug mode > >>>>> > >>>>> > >>>>> > >>>>>> will most probably pinpoint it. > >>>>>> > >>>>>> Rainer > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: [email protected] > >>>>>>> [mailto:[email protected]] On Behalf Of > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> [email protected] > >>>>> > >>>>> > >>>>> > >>>>>>> Sent: Monday, January 18, 2010 9:57 PM > >>>>>>> To: rsyslog-users > >>>>>>> Subject: Re: [rsyslog] fromhost-ip > >>>>>>> > >>>>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> When I switched to double quotes I get the error in > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> /var/log/syslog and > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> no logs are collected? > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> what was the error you got this time? > >>>>>>> > >>>>>>> David Lang > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> rsyslog mailing list > >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com > >>>>> > >>>>> > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com > >>>> > >>>> > >>>> > >>> > >>> > >> > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > > > -- > Reminds me of my expedition into the wilds of Afghanistan. We lost our > corkscrew and were compelled to live on food and water for several > days. - > WC Fields > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
