[rsyslog] Property-Based Filters

Rainer Gerhards rgerhards at hq.adiscon.com
Sat Mar 22 14:07:46 CET 2008


Ahh... That sample is most helpful. I think there is also a misunderstanding. I couldn't run a lab yet and will probably not before after easter, but (read inline below) ...

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
> Sent: Saturday, March 22, 2008 1:55 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Property-Based Filters
> 
> Yes, it is.
> And that wouldn't be a problem if property based filter would work
> fine.
> 
> I tried to filter messages with FROMHOST empty and use HOSTNAME
> instead.
> It worked for localhost generated messages, but didn't work for
> messages
> coming from other host on the network. Here's sample:
> 
> $template
> messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-
> %$DAY%/messages"
> $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages"
> $template
> messages-per-host3,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%-
> %$DAY%/messages"
> $template messages-per-host4,"/var/log/hosts/%HOSTNAME%/messages"
> $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity% TheMsg:
> %msg%\n"
> 
> # first we check if FROMHOST is empty . if it is empty .. we use
> HOSTNAME
> :FROMHOST, isequal, ""

Property based filters are just regular filters. So you need to specify what shall happen when the filter matches. In the above line, there is no action (sorry, looks like I overlooked that in the first message you send).

So to discard these message, you'd need to do:

:FROMHOST, isequal, "" ~

Filters (in v2) do NOT combine, except for the BSD-style filters. This is a feature of v3.

> *.info;mail.none;authpriv.none;cron.none
> ?messages-per-host4;MyTemplateName
> *.info;mail.none;authpriv.none;cron.none
> ?messages-per-host3;MyTemplateName
> # we drop the messages with FROMHOST empty, and we log everything else
> based on FROMHOST .
> :FROMHOST, isequal, "" ~

That, of course, should work...

> *.info;mail.none;authpriv.none;cron.none
> ?messages-per-host1;MyTemplateName
> *.info;mail.none;authpriv.none;cron.none
> ?messages-per-host2;MyTemplateName
> 
> Now you may ask why i didn't use HOSTNAME and only HOSTNAME after all?
> Well.. it looks like there are several messages that don't contain the
> HOSTNAME field and this breaks everything.
> 
> I'm not sure these are all bugs.

At may very well be. I suspect that they all have the same root cause, and that is that some message properties are not correctly being set for internally-generated messages. So one trouble spot with multiple problems resulting from it.

Could you do me a favor and run rsyslogd with -d -n options interactively and send me the resulting debug log?

Rainer

> They may be some result of some human
> error of some kind (my error).
> 
> Waiting for your confirmation of the above,
> Radu Gheorghiu
> 
> Rainer Gerhards wrote:
> > Ah, ok, so the problem actually is that fromhost is empty...
> >
> > ----- Ursprüngliche Nachricht -----
> > Von: "Radu Gheorghiu" <radu at pengooin.net>
> > An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> > Gesendet: 22.03.08 13:21
> > Betreff: Re: [rsyslog] Property-Based Filters
> >
> > Hi,
> >
> > Well as is said i needed a central log solution.
> > So i did this:
> >
> > $template
> > messages-per-host1,"/var/log/hosts/%FROMHOST%/%$YEAR%/%$MONTH%-
> %$DAY%/messages"
> > $template messages-per-host2,"/var/log/hosts/%FROMHOST%/messages"
> >
> > and for testing purposes (and debug):
> >
> > $template MyTemplateName,"TheHost:d%FROMHOST%d %syslogseverity%
> TheMsg:
> > %msg%\n"
> >
> > And here is the rest:
> > *.info;mail.none;authpriv.none;cron.none
> > ?messages-per-host1;MyTemplateName
> > *.info;mail.none;authpriv.none;cron.none
> > ?messages-per-host2;MyTemplateName
> >
> > i look in /var/log/hosts:
> > 2008  clog-he-de  messages
> > clog-he-de is the localhost ..
> > and  2008 + messages is created because FROMHOST is empty.
> > proof:
> >
> > cat messages
> > TheHost:dd 6 TheMsg:  [origin software="rsyslogd" swVersion="2.0.3"
> > x-pid="12215" x-info="http://www.rsyslog.com"][x-configInfo
> > udpReception="Yes" udpPort="514" tcpReception="No" tcpPort="0"]
> restart
> >
> > note the "dd" after "TheHost:"  . i put it there to be sure there's
> > nothing between the two "d".
> >
> > Thanks,
> > Radu Gheorghiu
> >
> > Rainer Gerhards wrote:
> >
> >>> Hi,
> >>> I'm using stable. I'm trying to create some central log machine.
> >>> I made some tests .. and it seems that when i start rsyslog on the
> >>> central logging machine, it creates some messages regarding rsyslog
> >>> version, for those messages FROMHOST is empty.
> >>>
> >>>
> >> That *is* a bug. FROMHOST should not be empty. And now that I know
> it'll
> >> probably won't be empty in the future ;)
> >>
> >>
> >>
> >>> If you want i can
> >>> provide
> >>> you with full rsyslog.conf. Please test and reply.
> >>>
> >>>
> >> So you want to filter out the rsyslog startup and shutdown messages?
> >> Please provide me a few samples of what the messages look in your
> log
> >> files.
> >>
> >> Thanks,
> >> Rainer
> >>
> >>
> >>
> >>> Thanks,
> >>> Radu Gheorghiu
> >>>
> >>> Rainer Gerhards wrote:
> >>>
> >>>
> >>>> Hi Radu,
> >>>>
> >>>> I will look into the issue, smells like a bug. But FROMHOST can
> >>>>
> >>>>
> >> never
> >>
> >>
> >>> be
> >>>
> >>>
> >>>> empty... Is it just a sample? If so, which property you are
> looking
> >>>>
> >>>>
> >>> it
> >>>
> >>>
> >>>> (I wonder what may be empty, thus the question...).
> >>>>
> >>>> Rainer
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>>> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
> >>>>> Sent: Saturday, March 22, 2008 6:47 AM
> >>>>> To: rsyslog at lists.adiscon.com
> >>>>> Subject: [rsyslog] Property-Based Filters
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I'm having trouble setting up some properties-based filters. I
> want
> >>>>>
> >>>>>
> >>> to
> >>>
> >>>
> >>>>> see if some property is equal to "" (empty).
> >>>>> I'm doing this:
> >>>>> :FROMHOST, isequal, ""
> >>>>> *.info;mail.none;authpriv.none;cron.none
> ?messages-
> >>>>>
> >>>>>
> >>> per-
> >>>
> >>>
> >>>>> host4
> >>>>>
> >>>>> But it still matches everything it should not. Am i doing
> something
> >>>>> wrong?
> >>>>>
> >>>>> Thanks,
> >>>>> Radu
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>
> >>>>>
> >>>>>
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>
> >>>>
> >>>>
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>
> >>
> >>
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog


More information about the rsyslog mailing list