[rsyslog] Troubleshooting missing log entries
Scott Baker
bakers at web-ster.com
Fri Dec 19 17:38:41 CET 2008
Rainer Gerhards wrote:
> I'd still go for debug mode. You don't need to run it very long. We just
> need to see how a few of these messages are fully processed. A proper
> test setup would be to start up in debug mode with the network cable
> pulled, then plug it in for a second or two, then unplug it again. Once
> rsyslogd is finished processing, stop it. That should lead to useful
> info in the debug log.
>
> Oh - and are you sure that fromhost has the proper IP addresses? If not
> 100% sure, verify it by putting something like '%FROMHOST%' into a debug
> template (note that there is also FROMHOST-IP, which will have the IP
> address no matter if names are resolved or not).
I like the debug template idea, that's genius. Is there a way to have a
bunch of filters to catch assorted things, and then an "everything
leftover" filter?
------------------------------------------------------------------------
# Mail servers log to their special section
$FileCreateMode 0644
:FROMHOST, isequal, "magenta" -?magic-mail
:FROMHOST, isequal, "cyan" -?magic-mail
:FROMHOST, isequal, "orange" -?magic-mail
# Firewalls
:FROMHOST, isequal, "yin" -?firewall
:FROMHOST, isequal, "yang" -?firewall
# Everything that didn't get caught by one of the above filters
(I have no idea what the syntax would be)
More information about the rsyslog
mailing list