This is what I've come up with.
if $fromhost-ip == '209.216.111.114' then {
if $facility == 2 then { action(type="omfile" file="/var/log/maillog")
} else {
action(type="omfile" file="/var/log/maillog-other")
}
but it then logged nothing after restarting successfully and produced
no indication of what was wrong in /var/log/messages. It also never
produces the /var/log/maillog-other file.
I also tried to enable debugging in my rsyslog.conf:
$DebugLevel 2
$DebugFile /var/log/rsyslog.log
and while it produced too much output to be helpful, I did see that it
at least recorded that IP address.
Hard to tell without really seeing what is in those events that you're
receiving and without seeing whole config.
But.
This form of debugging is _not_ what you need. It's for debugging the
rsyslogd itself, not your rules. Get rid of it.
As David already wrote, you want to use RSYSLOG_DebugFormat to write
full event debug data to a file and see what properties and variables
you have associated with the event. Watch out though because it logs
huge amounts of data so your file will quickly grow beyond your
expectations.
So I'd go with:
action(type="omfile" file="/tmp/debug.log" template="RSYSLOG_DebugFormat")
Okay, now I understand. It's produced output like:
FROMHOST: 'xavier', fromhost-ip: '127.0.0.1', HOSTNAME: 'xavier', PRI:
22,syslogtag 'postfix-117/qmgr[496743]:', programname: 'postfix-117',
APP-NAME: 'postfix-117', PROCID: '496743', MSGID: '-',TIMESTAMP: 'Jan 20
08:39:54', STRUCTURED-DATA: '-',msg: '6B1B930668306: removed' escaped
msg: '6B1B930668306: removed' inputname: imjournal rawmsg:
'6B1B930668306: removed' $!:{ "PRIORITY": "6", "_BOOT_ID":
"6ff20e0e797d45789b7c38229e26f928", "_MACHINE_ID":
"c4b32aa0d25c4a5d85432835f7c2e2ac", "_HOSTNAME": "xavier.example.com",
"_TRANSPORT": "syslog", "SYSLOG_FACILITY": "2", "_UID": "89", "_GID":
"89", "_CAP_EFFECTIVE": "0", "_SYSTEMD_CGROUP":
"\/system.slice\/postfix.service", "_SYSTEMD_UNIT": "postfix.service",
"_SYSTEMD_SLICE": "system.slice", "_SYSTEMD_INVOCATION_ID":
"dde7fdbb530148f89ad2ee01b46615ac", "_COMM": "qmgr", "_EXE":
"\/usr\/libexec\/postfix\/qmgr", "_CMDLINE": "qmgr -l -t unix -u",
"SYSLOG_IDENTIFIER": "postfix-117\/qmgr", "SYSLOG_PID": "496743",
"_PID": "496743", "SYSLOG_TIMESTAMP": "Jan 20 08:39:54 ", "MESSAGE":
"6B1B930668306: removed", "_SOURCE_REALTIME_TIMESTAMP": "1611149994883159" }
I've modified my config to the following:
if $fromhost-ip == "127.0.0.1" then {
if $syslogfacility == 2 then { action(type="omfile"
file="/var/log/maillog") }
} else {
action(type="omfile" file="/var/log/maillog-other")
}
}
It now logs only messages from the local host to /var/log/maillog, but
the maillog-other file is not logging messages from the other hosts
sending their maillogs to this server. What am I missing?
Here is my full config.
$MaxMessageSize 65536
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerBindRuleset remote
$ModLoad imuxsock
$ModLoad imklog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
$SystemLogRateLimitInterval 0
:msg,contains,"LOGDROP " /var/log/iptables.log
& stop
if $programname == 'audit' then {
action(type="omfile" file="/var/log/kernel.audit.log")
# if $syslogseverity >= 4 then stop # warning
if $syslogseverity >= 5 then stop # notice
# if $syslogseverity >= 6 then stop # info
}
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$IMJournalStateFile imjournal.state
$IMJournalIgnorePreviousMessages on
kern.none /dev/console
kern.* /var/log/kern.log
*.info;kern.none;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
action(type="omfile" file="/var/log/rsyslog.log"
template="RSYSLOG_DebugFormat")
if $fromhost-ip == "127.0.0.1" then {
if $syslogfacility == 2 then { action(type="omfile"
file="/var/log/maillog") }
} else {
action(type="omfile" file="/var/log/maillog-other")
}
}
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
