[rsyslog] Property-Based Filters
Radu Gheorghiu
radu at pengooin.net
Sat Mar 22 18:34:09 CET 2008
I will prepare a new file + details, in the next 30mins :)
Rainer Gerhards wrote:
> Ah, I've now reviewed it, but there is no message in it from a host that
> does not send a HOSTNAME (The last message... case). What syslogd are
> your running on the clients? Sysklogd? And which version? I am asking
> because I could check the code and see what exactly it generates. I
> already begin to get some bad feelings about what it sends ;)
>
> What I see is rsyslog's bug (the one just fixed) and an error message
> telling you that rsyslog is discarding a selector line because of no
> actions. That is the one where you had use the filter but without
> actions.
>
> Filters work only in front of actions in v2. So if you don't provide an
> action, nothing happens except that startup error message. Please note
> that the doc just talks about the property based filter. But it doesn't
> mean you can use it without an action. Filters only work with actions.
> In v3, things are already a bit different and will be much more
> different soon. V3 offers full expression support, so you can do
> Boolean operations inside filters. Also, v3 will be scriptable.
>
> HTH,
> Rainer
>
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
>> Sent: Saturday, March 22, 2008 6:14 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] Property-Based Filters
>>
>> Hmm i think i don't understand . Haven't you received the file that i
>> sent you? Or did i miss something?
>>
>> Radu
>>
>> Rainer Gerhards wrote:
>>
>>> Well... Rsyslog tries all kind of things to get hold of the real
>>>
>> host.
>>
>>> So if you could send me a copy of the one causing problems, I may
>>>
>> (may
>>
>>> ;)) be able to do something against it. HOSTNAME should always
>>>
>> contain
>>
>>> something usable, but as you say ... it depends ;)
>>>
>>> Rainer
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>>> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
>>>> Sent: Saturday, March 22, 2008 2:48 PM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] Property-Based Filters
>>>>
>>>> I don't think that the HOSTNAME problem is a rsyslog problem.
>>>> I think that the remote host is not sending the HOSTNAME.
>>>> Remote host is using the classic syslog .
>>>> and it is configured like this:
>>>> *.*
>>>>
>>>>
>>> @central-logger
>>>
>>>
>>>> on the central logger .. i modify my template for debug:
>>>> $template MyTemplateName,"TheHost:d%HOSTNAME%d %syslogseverity%
>>>>
>>>>
>>> TheMsg:
>>>
>>>
>>>> %msg%\n"
>>>>
>>>> and in the logs:
>>>> TheHost:dlastd 5 TheMsg: repeated 8 times
>>>>
>>>> Seems like the message had no hostname field. and rsyslog thinks
>>>> "last"
>>>> is the hostname.
>>>>
>>>> Radu
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>
>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>
More information about the rsyslog
mailing list