[rsyslog] Property-Based Filters
Rainer Gerhards
rgerhards at hq.adiscon.com
Sat Mar 22 13:46:51 CET 2008
Ah, ok, so the problem actually is that fromhost is empty...
----- Ursprüngliche Nachricht -----
Von: "Radu Gheorghiu" <radu at pengooin.net>
An: "rsyslog-users" <rsyslog at lists.adiscon.com>
Gesendet: 22.03.08 13:21
Betreff: Re: [rsyslog] Property-Based Filters
Hi,
Well as is said i needed a central log solution.
So i did this:
$template
messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-%$DAY%/messages"
$template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages"
and for testing purposes (and debug):
$template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg:
%msg%\n"
And here is the rest:
*.info;mail.none;authpriv.none;cron.none
?messages-per-host1;MyTemplateName
*.info;mail.none;authpriv.none;cron.none
?messages-per-host2;MyTemplateName
i look in /var/log/hosts:
2008 clog-he-de messages
clog-he-de is the localhost ..
and 2008 + messages is created because FROMHOST is empty.
proof:
cat messages
TheHost:dd 6 TheMsg: [origin software="rsyslogd" swVersion="2.0.3"
x-pid="12215" x-info="http://www.rsyslog.com"][x-configInfo
udpReception="Yes" udpPort="514" tcpReception="No" tcpPort="0"] restart
note the "dd" after "TheHost:" . i put it there to be sure there's
nothing between the two "d".
Thanks,
Radu Gheorghiu
Rainer Gerhards wrote:
>> Hi,
>> I'm using stable. I'm trying to create some central log machine.
>> I made some tests .. and it seems that when i start rsyslog on the
>> central logging machine, it creates some messages regarding rsyslog
>> version, for those messages FROMHOST is empty.
>>
>
> That *is* a bug. FROMHOST should not be empty. And now that I know it'll
> probably won't be empty in the future ;)
>
>
>> If you want i can
>> provide
>> you with full rsyslog.conf. Please test and reply.
>>
>
> So you want to filter out the rsyslog startup and shutdown messages?
> Please provide me a few samples of what the messages look in your log
> files.
>
> Thanks,
> Rainer
>
>
>> Thanks,
>> Radu Gheorghiu
>>
>> Rainer Gerhards wrote:
>>
>>> Hi Radu,
>>>
>>> I will look into the issue, smells like a bug. But FROMHOST can
>>>
> never
>
>> be
>>
>>> empty... Is it just a sample? If so, which property you are looking
>>>
>> it
>>
>>> (I wonder what may be empty, thus the question...).
>>>
>>> Rainer
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
>>>> Sent: Saturday, March 22, 2008 6:47 AM
>>>> To: rsyslog at lists.adiscon.com
>>>> Subject: [rsyslog] Property-Based Filters
>>>>
>>>> Hi,
>>>>
>>>> I'm having trouble setting up some properties-based filters. I want
>>>>
>> to
>>
>>>> see if some property is equal to "" (empty).
>>>> I'm doing this:
>>>> :FROMHOST, isequal, ""
>>>> *.info;mail.none;authpriv.none;cron.none ?messages-
>>>>
>> per-
>>
>>>> host4
>>>>
>>>> But it still matches everything it should not. Am i doing something
>>>> wrong?
>>>>
>>>> Thanks,
>>>> Radu
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
More information about the rsyslog
mailing list