[rsyslog] Property-Based Filters

[Radu Gheorghiu]

Hi,

Well as is said i needed a central log solution.
So i did this:

$template 
messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-%$DAY%/messages"
$template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages"

and for testing purposes (and debug):

$template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg: 
%msg%\n"

And here is the rest:
*.info;mail.none;authpriv.none;cron.none                
?messages-per-host1;MyTemplateName
*.info;mail.none;authpriv.none;cron.none                
?messages-per-host2;MyTemplateName

i look in /var/log/hosts:
2008  clog-he-de  messages
clog-he-de is the localhost ..
and  2008 + messages is created because FROMHOST is empty.
proof:

cat messages
TheHost:dd 6 TheMsg:  [origin software="rsyslogd" swVersion="2.0.3" 
x-pid="12215" x-info="http://www.rsyslog.com"][x-configInfo 
udpReception="Yes" udpPort="514" tcpReception="No" tcpPort="0"] restart

note the "dd" after "TheHost:"  . i put it there to be sure there's 
nothing between the two "d".

Thanks,
Radu Gheorghiu

Rainer Gerhards wrote:
>> Hi,
>> I'm using stable. I'm trying to create some central log machine.
>> I made some tests .. and it seems that when i start rsyslog on the
>> central logging machine, it creates some messages regarding rsyslog
>> version, for those messages FROMHOST is empty. 
>>     
>
> That *is* a bug. FROMHOST should not be empty. And now that I know it'll
> probably won't be empty in the future ;)
>
>   
>> If you want i can
>> provide
>> you with full rsyslog.conf. Please test and reply.
>>     
>
> So you want to filter out the rsyslog startup and shutdown messages?
> Please provide me a few samples of what the messages look in your log
> files.
>
> Thanks,
> Rainer
>
>   
>> Thanks,
>> Radu Gheorghiu
>>
>> Rainer Gerhards wrote:
>>     
>>> Hi Radu,
>>>
>>> I will look into the issue, smells like a bug. But FROMHOST can
>>>       
> never
>   
>> be
>>     
>>> empty... Is it just a sample? If so, which property you are looking
>>>       
>> it
>>     
>>> (I wonder what may be empty, thus the question...).
>>>
>>> Rainer
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
>>>> Sent: Saturday, March 22, 2008 6:47 AM
>>>> To: rsyslog at lists.adiscon.com
>>>> Subject: [rsyslog] Property-Based Filters
>>>>
>>>> Hi,
>>>>
>>>> I'm having trouble setting up some properties-based filters. I want
>>>>         
>> to
>>     
>>>> see if some property is equal to "" (empty).
>>>> I'm doing this:
>>>> :FROMHOST, isequal, ""
>>>> *.info;mail.none;authpriv.none;cron.none                ?messages-
>>>>         
>> per-
>>     
>>>> host4
>>>>
>>>> But it still matches everything it should not. Am i doing something
>>>> wrong?
>>>>
>>>> Thanks,
>>>> Radu
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>
>>>>         
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>>>
>>>       
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>     
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>