Yes sir,
Here is the top of the rsyslog.conf file. # Use traditional timestamp format # DeBugging # /var/log/debuglog;RSYSLOG_DebugFormat # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Provides kernel logging support (previously done by rklogd) #$ModLoad imklog module(load="imklog") # Provides support for local system logging (e.g. via logger command) #$ModLoad imuxsock module(load="imuxsock") # imput file #$ModLoad imfile module(load="imfile") #### 4.1.6 of Nessus scan #$ModLoad imtcp.so module(load="imtcp.so") $InputTCPServerRun 514 if $fromhost-ip == '170.235.1.248' then STOP &~ if $fromhost-ip == '170.235.1.249' then STOP &~ =========================== Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: Rainer Gerhards <[email protected]> Sent: Thursday, April 26, 2018 3:12 PM To: Cheltenham, Chris <[email protected]> Cc: rsyslog-users <[email protected]>; David Lang <[email protected]> Subject: Re: [rsyslog] excluding ip addresses Did you place it in the first line? If so, it records all messages rsyslog receives. So if some are in other logs but not this one, someone else is writing the other logs. Rainer Sent from phone, thus brief. Cheltenham, Chris <[email protected] <mailto:[email protected]> > schrieb am Do., 26. Apr. 2018, 21:04: Gentlemen, The log says nothing about those two IP Address. [root@devsso03 cas]# cd /var/log [root@devsso03 log]# cat debuglog | grep 249 [root@devsso03 log]# pwd /var/log [root@devsso03 log]# cat debuglog | grep 249 [root@devsso03 log]# cat debuglog | grep 248 Yes it is still chattering away in my application logs. [root@devsso03 cas]# cat cas.log | grep 248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 CLIENT IP ADDRESS: 170.235.1.248 Is just not working. Any other suggestions? =========================== Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 From: Rainer Gerhards <[email protected] <mailto:[email protected]> > Sent: Thursday, April 26, 2018 2:51 PM To: rsyslog-users <[email protected] <mailto:[email protected]> > Cc: David Lang <[email protected] <mailto:[email protected]> >; Cheltenham, Chris <[email protected] <mailto:[email protected]> > Subject: Re: [rsyslog] excluding ip addresses Place /var/log/debuglog;RSYSLOG_DebugFormat And *only* this in the *first* line of rsyslog.conf. Rainer Sent from phone, thus brief. Cheltenham, Chris via rsyslog <[email protected] <mailto:[email protected]> > schrieb am Do., 26. Apr. 2018, 20:48: David, I have this is rsyslog.conf if $fromhost-ip == '170.235.1.248' then /var/log/debuglog;RSYSLOG_DebugFormat &~ if $fromhost-ip == '170.235.1.249' then /var/log/debuglog;RSYSLOG_DebugFormat &~ Nothing happens. =========================== Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -----Original Message----- From: David Lang <[email protected] <mailto:[email protected]> > Sent: Thursday, April 26, 2018 2:23 PM To: Cheltenham, Chris <[email protected] <mailto:[email protected]> > Cc: Cheltenham, Chris via rsyslog <[email protected] <mailto:[email protected]> > Subject: RE: [rsyslog] excluding ip addresses you don't need to run in debug mode, just write a file using that template /var/log/debuglog;RSYSLOG_DebugFormat will write all logs this way. On Thu, 26 Apr 2018, Cheltenham, Chris wrote: > Date: Thu, 26 Apr 2018 14:08:10 -0400 (EDT) > From: "Cheltenham, Chris" <[email protected] > <mailto:[email protected]> > > To: David Lang <[email protected] <mailto:[email protected]> > > Cc: "Cheltenham, Chris via rsyslog" <[email protected] > <mailto:[email protected]> > > Subject: RE: [rsyslog] excluding ip addresses > > David, > > How do I run in debug mode? > Is I rsyslog -d ? > > I am using CentOS 7 so it would be changed in systemd. > > > =========================== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -----Original Message----- > From: David Lang <[email protected] <mailto:[email protected]> > > Sent: Thursday, April 26, 2018 2:05 PM > To: Cheltenham, Chris <[email protected] > <mailto:[email protected]> > > Cc: Cheltenham, Chris via rsyslog <[email protected] > <mailto:[email protected]> > > Subject: RE: [rsyslog] excluding ip addresses > > On Thu, 26 Apr 2018, Cheltenham, Chris wrote: > >> David, >> >> Thanks for the reply. >> >> I used this >> >> if $fromhost-ip == '170.235.1.248' then stop if $fromhost-ip == >> '170.235.1.249' then stop >> >> >> but it did not work. >> Is that the correct syntax? > > that works > > can you log using the format RSYSLOG_DebugFormat and double check that > fromhost-ip is being set the way you expect it to be? > >> I als restarted rsyslog. > > yes, that is needed any time you change the config file. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
