Hi,
Thanks very much for your help.
Firstly, the second nested conditional (if != 2) is a bit pointless.
It's what "else" is for ;-)
Secondly, $hostname contains the hostname contained within the message,
not resolved from the source host IP. So if the sender is misconfigured
and sends - for example - localhost in logs, you'll have localhost as
$hostname.
Thirdly, unless you're very very sure about the contents of the logged
events I'd rather go with sorting incoming logs by sender's IP
($fromhost-ip). Caveat: if you're relaying messages for some hosts
further down the chain you'd have to somehow pass the original IP; it
can get tricky.
And finally, if you're planning on extending this mechanism to splitting
to different files for many different sources consider either dynamicaly
templated filenames or using lookups to find appropriate action instead
of if/else if chains.
Of course the advice of logging with debug template is good for every
problem with event processing.
This is what I've come up with.
if $fromhost-ip == '209.216.111.114' then {
if $facility == 2 then { action(type="omfile" file="/var/log/maillog")
} else {
action(type="omfile" file="/var/log/maillog-other")
}
but it then logged nothing after restarting successfully and produced no
indication of what was wrong in /var/log/messages. It also never
produces the /var/log/maillog-other file.
I also tried to enable debugging in my rsyslog.conf:
$DebugLevel 2
$DebugFile /var/log/rsyslog.log
and while it produced too much output to be helpful, I did see that it
at least recorded that IP address.
I'm really unsure what to do next.
Thanks,
Alex
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
