Date: Wed, 18 Jun 2014 10:17:19 -0400
From: Craig Smith <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: Re: [rsyslog] Replace property
David,
I tried what you suggested but I’m not getting anything in my network.log.
Do you see anything wrong from the info I have gathered?
Thank you.
$template newformat,'%TIMESTAMP% %FROMHOST% %syslogtag%%msg%\n'
if $fromhost-ip == '192.168.69.120' then /var/log/network.log;newformat
& ~
if ($fromhost-ip startswith '162.246.19' or $fromhost-ip startswith
'208.184.72.') then /var/log/network.log
& ~
Debug line with all properties:
FROMHOST: 'nashnh.south10.apc.01', fromhost-ip: '192.168.69.120', HOSTNAME:
'192.168.69.120', PRI: 15,
syslogtag 'This', programname: 'This', APP-NAME: 'This', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Jun 18 02:34:17', STRUCTURED-DATA: '-',
msg: ' is a test APC message.'
escaped msg: ' is a test APC message.'
inputname: imudp rawmsg: '<15>Jun 18 02:34:17 192.168.69.120 This is a test
APC message.'
0693.695124088:7fa703d5d700: imudp: epoll_wait() returned with 1 fds
0693.695196209:7fa703d5d700: imudp:recv(5,62),acl:1,msg:<15>Jun 18 02:34:17
192.168.69.120 This is a test APC message.r/sbin/sshd[39214]: exited,
status 255
0693.695240070:7fa703d5d700: msg parser: flags 70, from '~NOTRESOLVED~',
msg '<15>Jun 18 02:34:17 192.168.69.120 This is a test APC messag'
0693.695253360:7fa703d5d700: parse using parser list 0xdce040 (the default
list).
0693.695268050:7fa703d5d700: Parser 'rsyslog.rfc5424' returned -2160
0693.695278904:7fa703d5d700: Message will now be parsed by the legacy
syslog parser (one size fits all... ;)).
0693.695295238:7fa703d5d700: Parser 'rsyslog.rfc3164' returned 0
0693.695334771:7fa703d5d700: main Q: qqueueAdd: entry added, size now log
1, phys 1 entries
0693.695358740:7fa703d5d700: main Q: MultiEnqObj advised worker start
0693.695388478:7fa70355c700: wti 0xdda390: worker awoke from idle processing
0693.695403130:7fa70355c700: DeleteProcessedBatch: we deleted 0 objects and
enqueued 0 objects
0693.695409639:7fa70355c700: doDeleteBatch: delete batch from store, new
sizes: log 1, phys 1
0693.695420256:7fa70355c700: processBatch: batch of 1 elements must be
processed
0693.695432103:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.695437115:7fa70355c700: ACTION 0xde47e0
[builtin:omfile:/var/log/all.log;RSYSLOG_DebugFormat]
0693.695452481:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active (nil)
0693.695458364:7fa70355c700: Called action(NotAllMark), processing batch[0]
via 'builtin:omfile'
0693.695463136:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.695485924:7fa70355c700: dnscache: entry (nil) found
0693.695836719:7fa70355c700: submitBatch: enter, nElem 1
0693.695844315:7fa70355c700: tryDoAction 0xde47e0, pnElem 1, nElem 1
0693.695854134:7fa70355c700: Action 0xde47e0 transitioned to state: itx
0693.695860176:7fa70355c700: entering actionCalldoAction(), state: itx
0693.695864300:7fa70355c700: file to log to: /var/log/all.log
0693.695868026:7fa70355c700: omfile: start of data: 'Debug line with all
properties:
FROMHOST: 'nashnh.south10.apc.01', fromhost-ip: '192.168.69.120', HOSTNAME:
'192.168.69.120', PR'
0693.695879183:7fa70355c700: write to stream, pData->pStrm 0x7fa6fc002230,
lenBuf 430
0693.695884943:7fa70355c700: action 0xde47e0 call returned -2121
0693.695890678:7fa70355c700: strm 0x7fa6fc002230: file 7(all.log) flush,
buflen 430
0693.695904286:7fa70355c700: strmPhysWrite, stream 0x7fa6fc002230, len 430
0693.696004374:7fa70355c700: strm 0x7fa6fc002230: file 7 write wrote 430
bytes
0693.696010956:7fa70355c700: Action 0xde47e0 transitioned to state: rdy
0693.696016170:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696019872:7fa70355c700: PROPFILT
0693.696026528:7fa70355c700: Property.: 'msg'
0693.696034271:7fa70355c700: Operation: 'contains'
0693.696043439:7fa70355c700: Value....: '[UFW '
0693.696052739:7fa70355c700: Filter: check for property 'msg' (value ' is a
test APC message.') contains '[UFW ': FALSE
0693.696059333:7fa70355c700: batch: item 0 PROPFILT 0
0693.696069709:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:0
0693.696074137:7fa70355c700: ACTION 0xde3a00
[builtin:omfile:/var/log/ufw.log]
0693.696082152:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696091983:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696097155:7fa70355c700: submitBatch: enter, nElem 1
0693.696100875:7fa70355c700: tryDoAction 0xde3a00, pnElem 1, nElem 1
0693.696110949:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696115217:7fa70355c700: IF
0693.696122540:7fa70355c700: var '$fromhost-ip'
0693.696132500:7fa70355c700: ==
0693.696147151:7fa70355c700: string '192.168.69.120'
0693.696174036:7fa70355c700: eval expr 0xde4350, type 'CMP_EQ'
0693.696180885:7fa70355c700: eval expr 0xde4210, type 'V[86]'
0693.696191580:7fa70355c700: rainerscript: var '$fromhost-ip':
'192.168.69.120'
0693.696203540:7fa70355c700: batch: item 0: expr eval: 1
0693.696207977:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:1
0693.696211631:7fa70355c700: STOP
0693.696225857:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696229589:7fa70355c700: IF
0693.696236284:7fa70355c700: var '$fromhost-ip'
0693.696248029:7fa70355c700: STARTSWITH
0693.696264150:7fa70355c700: string '162.246.19'
0693.696278163:7fa70355c700: OR
0693.696286526:7fa70355c700: var '$fromhost-ip'
0693.696298187:7fa70355c700: STARTSWITH
0693.696307610:7fa70355c700: string '208.184.72.'
0693.696328501:7fa70355c700: execIf: all batch elements are inactive,
holding execution
0693.696332761:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696336175:7fa70355c700: PRIFILT 'auth,authpriv.*'
0693.696348444:7fa70355c700: pmask: X X X X FF X X X X X FF
X X X X X X X X X X X X X X
0693.696420166:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696424188:7fa70355c700: ACTION 0xde1a40
[builtin:omfile:/var/log/auth.log]
0693.696439344:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696443553:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696453233:7fa70355c700: submitBatch: enter, nElem 1
0693.696457610:7fa70355c700: tryDoAction 0xde1a40, pnElem 1, nElem 1
0693.696461873:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696471710:7fa70355c700: PRIFILT '*.*;auth,authpriv.none'
0693.696479360:7fa70355c700: pmask: FF FF FF FF X FF FF FF FF FF X FF
FF FF FF FF FF FF FF FF FF FF FF FF FF
0693.696538632:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696542411:7fa70355c700: ACTION 0xde2200
[builtin:omfile:-/var/log/syslog]
0693.696550577:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696554624:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696558764:7fa70355c700: submitBatch: enter, nElem 1
0693.696562322:7fa70355c700: tryDoAction 0xde2200, pnElem 1, nElem 1
0693.696566597:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696569995:7fa70355c700: PRIFILT 'kern.*'
0693.696576790:7fa70355c700: pmask: FF X X X X X X X X X X
X X X X X X X X X X X X X X
0693.696633008:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696637211:7fa70355c700: ACTION 0xde5cc0
[builtin:omfile:-/var/log/kern.log]
0693.696645050:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696654478:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696659422:7fa70355c700: submitBatch: enter, nElem 1
0693.696662974:7fa70355c700: tryDoAction 0xde5cc0, pnElem 1, nElem 1
0693.696672841:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696676984:7fa70355c700: PRIFILT 'mail.*'
0693.696683647:7fa70355c700: pmask: X X FF X X X X X X X X
X X X X X X X X X X X X X X
0693.696739843:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696743758:7fa70355c700: ACTION 0xde64e0
[builtin:omfile:-/var/log/mail.log]
0693.696751474:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696760948:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696765832:7fa70355c700: submitBatch: enter, nElem 1
0693.696769329:7fa70355c700: tryDoAction 0xde64e0, pnElem 1, nElem 1
0693.696779016:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696783216:7fa70355c700: PRIFILT 'mail.err'
0693.696789843:7fa70355c700: pmask: X X F X X X X X X X X
X X X X X X X X X X X X X X
0693.696845986:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696849837:7fa70355c700: ACTION 0xde6d00
[builtin:omfile:/var/log/mail.err]
0693.696858009:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696861930:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696866034:7fa70355c700: submitBatch: enter, nElem 1
0693.696869532:7fa70355c700: tryDoAction 0xde6d00, pnElem 1, nElem 1
0693.696879554:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696883775:7fa70355c700: PRIFILT 'news.crit'
0693.696890321:7fa70355c700: pmask: X X X X X X X 7 X X X
X X X X X X X X X X X X X X
0693.696946503:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.696950475:7fa70355c700: ACTION 0xde7520
[builtin:omfile:/var/log/news/news.crit]
0693.696958695:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.696962565:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.696966623:7fa70355c700: submitBatch: enter, nElem 1
0693.696970451:7fa70355c700: tryDoAction 0xde7520, pnElem 1, nElem 1
0693.696974531:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.696977957:7fa70355c700: PRIFILT 'news.err'
0693.696990194:7fa70355c700: pmask: X X X X X X X F X X X
X X X X X X X X X X X X X X
0693.697040904:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.697044543:7fa70355c700: ACTION 0xde7d40
[builtin:omfile:/var/log/news/news.err]
0693.697058414:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.697062584:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.697067072:7fa70355c700: submitBatch: enter, nElem 1
0693.697070597:7fa70355c700: tryDoAction 0xde7d40, pnElem 1, nElem 1
0693.697074563:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.697083745:7fa70355c700: PRIFILT 'news.notice'
0693.697091203:7fa70355c700: pmask: X X X X X X X 3F X X X
X X X X X X X X X X X X X X
0693.697146995:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.697150790:7fa70355c700: ACTION 0xde8580
[builtin:omfile:-/var/log/news/news.notice]
0693.697158812:7fa70355c700: RRRR: execAct [builtin:omfile]: batch of 1
elements, active 0x7fa6fc001060
0693.697162792:7fa70355c700: Called action(Batch), logging to builtin:omfile
0693.697166911:7fa70355c700: submitBatch: enter, nElem 1
0693.697170394:7fa70355c700: tryDoAction 0xde8580, pnElem 1, nElem 1
0693.697174711:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.697178122:7fa70355c700: PRIFILT '*.emerg'
0693.697184821:7fa70355c700: pmask: 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1
0693.697238486:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.697242086:7fa70355c700: ACTION 0xde8d00
[builtin:omusrmsg::omusrmsg:*]
0693.697250059:7fa70355c700: RRRR: execAct [builtin:omusrmsg]: batch of 1
elements, active 0x7fa6fc001060
0693.697259935:7fa70355c700: Called action(Batch), logging to
builtin:omusrmsg
0693.697264957:7fa70355c700: submitBatch: enter, nElem 1
0693.697268446:7fa70355c700: tryDoAction 0xde8d00, pnElem 1, nElem 1
0693.697277850:7fa70355c700: scriptExec: batch of 1 elements, active (nil),
active[0]:1
0693.697282044:7fa70355c700: PRIFILT
'daemon.*;mail.*;news.err;*.=debug;*.=info;*.=notice;*.=warn'
0693.697294350:7fa70355c700: pmask: F0 F0 FF FF F0 F0 F0 FF F0 F0 F0 F0
F0 F0 F0 F0 F0 F0 F0 F0 F0 F0 F0 F0 F0
0693.697348201:7fa70355c700: scriptExec: batch of 1 elements, active
0x7fa6fc001060, active[0]:80
0693.697357255:7fa70355c700: ACTION 0xde9570
[builtin:ompipe:|/dev/xconsole]
0693.697366245:7fa70355c700: RRRR: execAct [builtin:ompipe]: batch of 1
elements, active 0x7fa6fc001060
0693.697375317:7fa70355c700: Called action(Batch), logging to builtin:ompipe
0693.697380084:7fa70355c700: submitBatch: enter, nElem 1
0693.697383570:7fa70355c700: tryDoAction 0xde9570, pnElem 1, nElem 1
0693.697387686:7fa70355c700: ruleset.ProcessMsg() returns 0
0693.697391654:7fa70355c700: regular consumer finished, iret=0, szlog 0 sz
phys 1
0693.697395953:7fa70355c700: DeleteProcessedBatch: we deleted 1 objects and
enqueued 0 objects
0693.697405520:7fa70355c700: doDeleteBatch: delete batch from store, new
sizes: log 0, phys 0
0693.697410365:7fa70355c700: regular consumer finished, iret=4, szlog 0 sz
phys 0
0693.697414322:7fa70355c700: main Q:Reg/w0: worker IDLE, waiting for work.
--
THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL. DISTRIBUTION
OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS PROHIBITED. ANY
DISCLOSURE, COPYING, DISTRIBUTION, OR USE OF THE CONTENTS OF THIS
TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN THEIR
INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN
ERROR, PLEASE CONTACT THE SENDER.
*P **Please consider the environment before printing this e-mail*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
