[rsyslog] Separating logs by host?
Scott Baker
bakers at web-ster.com
Fri Dec 21 17:48:44 CET 2007
Rainer Gerhards wrote:
> Mmhhh... once we have expression support, that will be an easy thing to
> do. Currently, I think there are a number of clumpsy work-arounds. We
> are around two month away from expressions, at least if all goes well.
>
> I think you can achive something with BDS-style filter blocks
> (!progname/-host/+host), something along these lines:
>
> -host
> mail.* /var/log/maillog
> +hostname
> mail.* /var/log/mail-server.log
>
> Of course, this is hostname specific (and that again is not the IP but
> what is in the message...)
>
> To get to the IP, I think you can get at least some way with class A,B,C
> addresses, but NOT with any other masks. Here is the idea:
>
> $template dsl, /var/log/dsl-%$NOW%.log
> $template routers, /var/log/routers-%$NOW%.log
> :FROMHOST, startswith, "192.168.1." -?dsl
> :FROMHOST, startswith, "192.168.3." -?routers
> :FROMHOST, startswith, "10.1.1." -?routers
>
> Common pitfall: be sure to include the trailing dot in the condition to
> match. If the rule were
>
> :FROMHOST, startswith, "192.168.1" -?dsl
>
> It would match 192.168.1.1.2, 192.168.1.1.2 but also 192.168.1.11.2!
>
> With the current engine, there are unfortunately no logical operations
> available. So you cannot check for mail facility or whatever else. A
> somewhat crude work-around would be to include the facility in the file
> name, e.g. by specifying it as follows:
>
> $template dsl, /var/log/dsl-%syslogfacility-text%-%$NOW%.log
>
> That, of course, will result in a file written for each facility, even
> those that you are not interested in. A unfortunately do not have a
> solution for this now.
>
> With v3 expressions, I envision something along these lines:
>
> If maskmatch(FROMHOST, "192.168.1.0", 24) and syslog-facility-text ==
> "mail" then
> writefile "/var/log/dslmail-%$NOW%"
>
> But that is not possible yet. And this is only an idea, not the actual
> config file format we will have at that time. In my blog, there are a
> number of posts about it, but the bottom line is that it is not yet
> designed:
>
> http://rgerhards.blogspot.com/2007/08/on-rsyslog-config-file-format.html
>
> Doc about current capabilities is here:
>
> http://www.rsyslog.com/module-Static_Docs-view-f-rsyslog_conf.html.phtml
>
> search for "Filter Conditions" on that page.
>
> The properties you need are documented here:
>
> http://www.rsyslog.com/module-Static_Docs-view-f-property_replacer.html.
> phtml
>
> Keep in mind they ARE CASE-SENSITIVE! (and don't ask me why I had that
> idea... ;))
>
> As always, feedback is appreciated. I would be most interested to learn
> at which final config you arrived.
Awesome! This is TOTALLY workable for what we're doing. I'm trying
to set it up and getting a weird message:
------------------------------------------------------------------
Dec 21 08:43:17 green rsyslogd:error: extra characters in config
line ignored: '/var/log/cisco-dsl-%$NOW%.log'
Dec 21 08:43:17 green rsyslogd: Could not find template 'dsl' -
action disabled
Dec 21 08:43:17 green rsyslogd:the last error occured in
/etc/rsyslog.conf, line 37
------------------------------------------------------------------
The config I used it almost exactly what you provided...
$template dsl, /var/log/cisco-dsl-%$NOW%.log
:FROMHOST, startswith, "10.3." -?dsl
Am I missing something basic?
--
Scott Baker - Canby Telcom
RHCE - System Administrator - 503.266.8253
More information about the rsyslog
mailing list