[rsyslog] Property-Based Filters

Rainer Gerhards rgerhards at hq.adiscon.com
Sat Mar 22 18:25:19 CET 2008


Ah, I've now reviewed it, but there is no message in it from a host that
does not send a HOSTNAME (The last message...  case). What syslogd are
your running on the clients? Sysklogd? And which version? I am asking
because I could check the code and see what exactly it generates. I
already begin to get some bad feelings about what it sends ;)

What I see is rsyslog's bug (the one just fixed) and an error message
telling you that rsyslog is discarding a selector line because of no
actions. That is the one where you had use the filter but without
actions.

Filters work only in front of actions in v2. So if you don't provide an
action, nothing happens except that startup error message. Please note
that the doc just talks about the property based filter. But it doesn't
mean you can use it without an action. Filters only work with actions.
In v3, things are already a bit different and will be much more
different soon.  V3 offers full expression support, so you can do
Boolean operations inside filters. Also, v3 will be scriptable.

HTH,
Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
> Sent: Saturday, March 22, 2008 6:14 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Property-Based Filters
> 
> Hmm i think i don't understand . Haven't you received the file that i
> sent you? Or did i miss something?
> 
> Radu
> 
> Rainer Gerhards wrote:
> > Well... Rsyslog tries all kind of things to get hold of the real
> host.
> > So if you could send me a copy of the one causing problems, I may
> (may
> > ;)) be able to do something against it. HOSTNAME should always
> contain
> > something usable, but as you say ... it depends ;)
> >
> > Rainer
> >
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Radu Gheorghiu
> >> Sent: Saturday, March 22, 2008 2:48 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] Property-Based Filters
> >>
> >> I don't think that the HOSTNAME problem is a rsyslog problem.
> >> I think that the remote host is not sending the HOSTNAME.
> >> Remote host is using the classic syslog .
> >> and it is configured like this:
> >> *.*
> >>
> > @central-logger
> >
> >> on the central logger .. i modify my template for debug:
> >> $template MyTemplateName,"TheHost:d%HOSTNAME%d %syslogseverity%
> >>
> > TheMsg:
> >
> >> %msg%\n"
> >>
> >> and in the  logs:
> >> TheHost:dlastd 5 TheMsg:  repeated 8 times
> >>
> >> Seems like the message had no hostname field.  and rsyslog thinks
> >> "last"
> >> is the hostname.
> >>
> >> Radu
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> >
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog



More information about the rsyslog mailing list