Ok. I'll try it with TCP (@@). This weekend I'll build a deb of the latest rsyslog and relp and check it out.
Would I ned the latest on both the rsyslog server and the client or just the server? Thanks, Ralph ----------------original message----------------- From: "Rainer Gerhards" [email protected] To: "rsyslog-users" [email protected] Date: Tue, 19 Jan 2010 10:44:04 +0100 ------------------------------------------------- > RELP did not provide fromhost-ip until recently. You need to use the most > recent development version of the git master branch (to be released soon) > TOGETHER with the most recent version of librelp to get that information. > > Rainer > >> -----Original Message----- >> From: [email protected] [mailto:rsyslog- >> [email protected]] On Behalf Of Ralph Crongeyer >> Sent: Monday, January 18, 2010 11:12 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] fromhost-ip >> >> No, I'm starting with -c4. >> >> I'll give it a try but ultimately I need to filter in IP. >> >> I'll try it when I get back from dinner...... >> >> Thanks again for your help with this guys. >> >> [email protected] wrote: >> > Ok, this says that fromhost-ip is not being set in your case. >> > >> > I think I ran into a similar problem before, are you starting with -x >> to >> > disable name lookups? >> > >> > try changing from fromhost-ip to fromhost >> > >> > David Lang >> > >> > On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >> > >> > >> >> This ma be of help: >> >> >> >> 0928.085091536:imrelp.c: Message has legacy syslog format. >> >> 0928.085124502:imrelp.c: main queue: entry added, size now 1 entries >> >> 0928.085150205:imrelp.c: wtpAdviseMaxWorkers signals busy >> >> 0928.085355268:main queue:Reg/w0: main queue: entry deleted, state >> 0, >> >> size now 0 entries >> >> 0928.085416731:main queue:Reg/w0: result of expression evaluation: 0 >> >> 0928.085443830:main queue:Reg/w0: Filter: check for property >> >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> >> 0928.085582122:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> >> waiting for work. >> >> 0928.085693593:imrelp.c: main queue: EnqueueMsg advised worker start >> >> 0928.085812887:imrelp.c: tcpSend returns 17 >> >> 0928.085841383:imrelp.c: in destructor: sendbuf 0x9bc9228 >> >> 0928.086029125:imrelp.c: relp engine is dispatching frame with >> command >> >> 'syslog' >> >> 0928.086053430:imrelp.c: in 'syslog' command handler >> >> 0928.086100366:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg >> >> 2010-01-18T16:41:14.104596-05:00 spoonie postfix/smtpd[7528]: >> lost >> >> connection after RCPT from 81-64-60- >> 151.rev.numericable.fr[81.64.60.151] >> >> 0928.086124392:imrelp.c: Message has legacy syslog format. >> >> 0928.086157638:imrelp.c: main queue: entry added, size now 1 entries >> >> 0928.086202059:imrelp.c: wtpAdviseMaxWorkers signals busy >> >> 0928.086419414:main queue:Reg/w0: main queue: entry deleted, state >> 0, >> >> size now 0 entries >> >> 0928.086486185:main queue:Reg/w0: result of expression evaluation: 0 >> >> 0928.086514402:main queue:Reg/w0: Filter: check for property >> >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> >> 0928.086771149:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> >> waiting for work. >> >> 0928.086895193:imrelp.c: main queue: EnqueueMsg advised worker start >> >> 0928.087044659:imrelp.c: tcpSend returns 17 >> >> 0928.087074832:imrelp.c: in destructor: sendbuf 0x9bc9e10 >> >> 0928.087110313:imrelp.c: relp engine is dispatching frame with >> command >> >> 'syslog' >> >> 0928.087131545:imrelp.c: in 'syslog' command handler >> >> 0928.087176805:imrelp.c: logmsg: flags 20, from '192.168.1.5', msg >> >> 2010-01-18T16:41:14.104922-05:00 spoonie postfix/smtpd[7528]: >> disconnect >> >> from 81-64-60-151.rev.numericable.fr[81.64.60.151] >> >> 0928.087200552:imrelp.c: Message has legacy syslog format. >> >> 0928.087232959:imrelp.c: main queue: entry added, size now 1 entries >> >> 0928.087286600:imrelp.c: wtpAdviseMaxWorkers signals busy >> >> 0928.087482163:main queue:Reg/w0: main queue: entry deleted, state >> 0, >> >> size now 0 entries >> >> 0928.087581622:main queue:Reg/w0: result of expression evaluation: 0 >> >> 0928.087609280:main queue:Reg/w0: Filter: check for property >> >> 'fromhost-ip' (value '[unset]') isequal '192.168.1.1': FALSE >> >> 0928.087783052:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, >> >> waiting for work. >> >> 0928.087897597:imrelp.c: main queue: EnqueueMsg advised worker start >> >> 0928.088020802:imrelp.c: tcpSend returns 17 >> >> 0928.088049857:imrelp.c: in destructor: sendbuf 0x9bc9d58 >> >> 0928.088078912:imrelp.c: relpSendqIsEmpty() returns 1 >> >> 0928.088099586:imrelp.c: *** calling select, active file >> >> descriptors (max 23): 6 7 23 >> >> 0988.087889021:main queue:Reg/w0: main queue:Reg/w0: inactivity >> timeout, >> >> worker terminating... >> >> 0988.088192704:main queue:Reg/w0: main queue:Reg/w0: receiving >> command 1 >> >> 0988.088222318:main queue:Reg/w0: main queue:Reg/w0: worker >> terminating >> >> 0988.088247741:main queue:Reg/w0: main queue:Reg: Worker thread >> 9bb5a08, >> >> terminated, num workers now 0 >> >> 0988.088339377:main queue:Reg/w0: destructor for debug call stack >> >> 0x9bd1260 called >> >> >> >> >> >> Ralph Crongeyer wrote: >> >> >> >>> Here's the debug output when configured with single quotes. >> >>> I'm sending this off the list to Rainer. >> >>> David, let me know if you want this also. >> >>> >> >>> Thanks guys, >> >>> Ralph >> >>> >> >>> Rainer Gerhards wrote: >> >>> >> >>> >> >>>>> -----Original Message----- >> >>>>> From: [email protected] >> >>>>> [mailto:[email protected]] On Behalf Of >> [email protected] >> >>>>> Sent: Monday, January 18, 2010 10:02 PM >> >>>>> To: rsyslog-users >> >>>>> Subject: Re: [rsyslog] fromhost-ip >> >>>>> >> >>>>> On Mon, 18 Jan 2010, Rainer Gerhards wrote: >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>> David, >> >>>>>> >> >>>>>> Single quotes are right in the scripting engine (double >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> quotes are reserved >> >>>>> >> >>>>> >> >>>>> >> >>>>>> for future use - they shall provide the capability to >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> extend macros, e.g. >> >>>>> >> >>>>> >> >>>>> >> >>>>>> $A="BC" => '$A' is the string "$A", while "$A" is supposed >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> to be the string >> >>>>> >> >>>>> >> >>>>> >> >>>>>> "BC"). >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> that is the normal behavior of single vs double quotes, but in >> such >> >>>>> situations it's normal for 'ABC' and "ABC" to be equivalent, >> >>>>> it's only >> >>>>> when you have variables involved that there would be a >> difference. >> >>>>> >> >>>>> >> >>>>> >> >>>> Jup, that's right - but double quotes are not yet implemented ;) >> >>>> >> >>>> Rainer >> >>>> >> >>>> >> >>>> >> >>>>> David Lang >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>> I don't have an idea what may be wrong, but running rsyslog >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> in debug mode >> >>>>> >> >>>>> >> >>>>> >> >>>>>> will most probably pinpoint it. >> >>>>>> >> >>>>>> Rainer >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>> -----Original Message----- >> >>>>>>> From: [email protected] >> >>>>>>> [mailto:[email protected]] On Behalf Of >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>> [email protected] >> >>>>> >> >>>>> >> >>>>> >> >>>>>>> Sent: Monday, January 18, 2010 9:57 PM >> >>>>>>> To: rsyslog-users >> >>>>>>> Subject: Re: [rsyslog] fromhost-ip >> >>>>>>> >> >>>>>>> On Mon, 18 Jan 2010, Ralph Crongeyer wrote: >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>>> When I switched to double quotes I get the error in >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> /var/log/syslog and >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>>> no logs are collected? >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> what was the error you got this time? >> >>>>>>> >> >>>>>>> David Lang >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> rsyslog mailing list >> >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>>>> http://www.rsyslog.com >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>> _______________________________________________ >> >>>>>> rsyslog mailing list >> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>>> http://www.rsyslog.com >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> _______________________________________________ >> >>>>> rsyslog mailing list >> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>> http://www.rsyslog.com >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>> _______________________________________________ >> >>>> rsyslog mailing list >> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>> http://www.rsyslog.com >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >> >> >> >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com >> > >> >> >> -- >> Reminds me of my expedition into the wilds of Afghanistan. We lost our >> corkscrew and were compelled to live on food and water for several >> days. - >> WC Fields >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
