On 19/01/2021 17:27, Alex Regan via rsyslog wrote:
Hi,
Thanks very much for your help.
Firstly, the second nested conditional (if != 2) is a bit pointless.
It's what "else" is for ;-)
Secondly, $hostname contains the hostname contained within the
message, not resolved from the source host IP. So if the sender is
misconfigured and sends - for example - localhost in logs, you'll
have localhost as $hostname.
Thirdly, unless you're very very sure about the contents of the
logged events I'd rather go with sorting incoming logs by sender's IP
($fromhost-ip). Caveat: if you're relaying messages for some hosts
further down the chain you'd have to somehow pass the original IP; it
can get tricky.
And finally, if you're planning on extending this mechanism to
splitting to different files for many different sources consider
either dynamicaly templated filenames or using lookups to find
appropriate action instead of if/else if chains.
Of course the advice of logging with debug template is good for every
problem with event processing.
This is what I've come up with.
if $fromhost-ip == '209.216.111.114' then {
if $facility == 2 then { action(type="omfile" file="/var/log/maillog")
} else {
action(type="omfile" file="/var/log/maillog-other")
}
but it then logged nothing after restarting successfully and produced
no indication of what was wrong in /var/log/messages. It also never
produces the /var/log/maillog-other file.
I also tried to enable debugging in my rsyslog.conf:
$DebugLevel 2
$DebugFile /var/log/rsyslog.log
and while it produced too much output to be helpful, I did see that it
at least recorded that IP address.
Hard to tell without really seeing what is in those events that you're
receiving and without seeing whole config.
But.
This form of debugging is _not_ what you need. It's for debugging the
rsyslogd itself, not your rules. Get rid of it.
As David already wrote, you want to use RSYSLOG_DebugFormat to write
full event debug data to a file and see what properties and variables
you have associated with the event. Watch out though because it logs
huge amounts of data so your file will quickly grow beyond your
expectations.
So I'd go with:
action(type="omfile" file="/tmp/debug.log" template="RSYSLOG_DebugFormat")
_before_ this whole config snippet.
Therefore you'd see what you're working on.
If you get no output in the debug.log file, check your permissions (and
selinux if it can be involved) and prior rules. Maybe you have some
rules before this snippet that block further processing and you don't
even get here?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
