[rsyslog] Troubleshooting missing log entries
david at lang.hm
david at lang.hm
Fri Dec 19 13:07:53 CET 2008
On Thu, 18 Dec 2008, Rainer Gerhards wrote:
> On Thu, 2008-12-18 at 11:59 -0800, Scott Baker wrote:
>> I have the following entry in my rsyslog conf, to match entries based on IP
>> address. Somehow it's not matching any entries.
>>
>> # Switches
>> $FileCreateMode 0644
>> :FROMHOST, isequal, "65.182.224.13" -?switches # Necalea
>> :FROMHOST, isequal, "65.182.224.202" -?switches
>> :FROMHOST, isequal, "66.206.80.60" -?switches
>
> Oh - and are you sure that fromhost has the proper IP addresses? If not
> 100% sure, verify it by putting something like '%FROMHOST%' into a debug
> template (note that there is also FROMHOST-IP, which will have the IP
> address no matter if names are resolved or not).
I was seeing some issues where the fromhost was not getting set properly,
I'll have to go back and dig up the details, but I think I was seeing it
use the localhost as the fromhost and putting the real fromhost
information in the message.
I found it by creating an output format that I could tweak and playing
with it to see what was actually showing up in the various parameters.
David Lang
More information about the rsyslog
mailing list