Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Thu, 02 Feb 2012 22:44:55 -0800

what does one of these messages look like if you write it out with the RSYSLOG_DEBUG template? 

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:


Date: Fri, 3 Feb 2012 07:00:26 +0100
From: Michael Maymann <mich...@maymann.org>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <mich...@maymann.org> wrote:


Hi,

got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
??? dir+files...
What variable should I use to handle this properly ?


Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <mich...@maymann.org>


Hi,

David: thanks for your reply...
Here is my new rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template
DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template
DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and %FROMHOST% != '???' then ?DYNtraps

if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
?DYNIPmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
?DYNIPspooler
if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and %FROMHOST% == '???' then ?DYNIPtraps

but it fails...:
# service rsyslog start
Starting system logger: rsyslogd: run failed with error -2207 (see
rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
means)
                                                           [  OK  ]

my guess is it is my %FROMHOST% == '???' - is this format correct or how
is this done...


Thanks in advance :-) !
~maymann


2012/2/1 <da...@lang.hm>

On Wed, 1 Feb 2012, Michael Maymann wrote:


 Hi,


I want to log information about hosts that are not logging with correct
HOSTNAME.
In my current setup, I get a dir "???" where these host(s) are logging
to...

I would like to change this to the hosts IP instead, something like:
if %FROMHOST% == '???' then %FROMHOST% == %IP



rsyslog cannot do what you are asking. It can't assign a value to a
property.

what you can do is to setup a different template and then if %fromhost%
is your special pattern you can log with this different template.

David Lang
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>







_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

Reply via email to