Re: [rsyslog] logging remote clients based on facility

Tue, 19 Jan 2021 00:44:45 -0800

Firstly, the second nested conditional (if != 2) is a bit pointless. It's what "else" is for ;-)
Secondly, $hostname contains the hostname contained within the message, not resolved from the source host IP. So if the sender is misconfigured and sends - for example - localhost in logs, you'll have localhost as $hostname. 


Thirdly, unless you're very very sure about the contents of the logged 
events I'd rather go with sorting incoming logs by sender's IP 
($fromhost-ip). Caveat: if you're relaying messages for some hosts 
further down the chain you'd have to somehow pass the original IP; it 
can get tricky.



And finally, if you're planning on extending this mechanism to splitting 
to different files for many different sources consider either dynamicaly 
templated filenames or using lookups to find appropriate action instead 
of if/else if chains.



Of course the advice of logging with debug template is good for every 
problem with event processing.


On 19/01/2021 03:52, Alex via rsyslog wrote:

Hi,

I'm using rsyslog-8.2010.0 on fedora33 as a remote logging server. I'd
like to consider logging mail.* messages to individual files based on
hostname. Primarily I want mail messages from the log server (xavier)
to go in the regular /var/log/maillog file.

This is what I've come up with so far, but it doesn't appear to do
anything. It also doesn't report any errors when I reload rsyslog.
What am I doing wrong?

if $hostname == 'xavier' then {
    if $facility == 2 then action(type="omfile" file="/var/log/maillog")
    if $facility != 2 then action(type="omfile" file="/var/log/maillog-other")
}

I've seen references to $syslogfacility instead of just $facility in
the documentation, but that doesn't appear to make a difference
either.

Thanks,
Alex
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to