[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Michael Maymann michael at maymann.org
Mon Feb 6 14:14:22 CET 2012 

Hi Rainer,

ok.

I have 3 different entries in my debug log:
---
FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb  4 07:29:40', STRUCTURED-DATA: '-',
msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port 2(VID
unknown)(769216)'
escaped msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port
2(VID unknown)(769216)'
inputname: imudp rawmsg: '<14> Feb  4 07:29:40 10.224.110.250 00828 lldp:
PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'

FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Feb  6 14:11:49', STRUCTURED-DATA: '-',
msg: ' Kernel logging (proc) stopped.'
escaped msg: ' Kernel logging (proc) stopped.'
inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.'

FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46,
syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb  6 14:11:50', STRUCTURED-DATA: '-',
msg: ' signal 15'
escaped msg: ' signal 15'
inputname: imudp rawmsg: '<46>exiting on signal 15'
---

I have now setup a rule:
$template
DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"
if $fromhost == '???' and $fromhost-ip == '???' then ?DYNUNKNOWNmessages


I would like to still log the hosts where I know the IP...
Is is possible to say something like the following ?:
---
$template
DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
$template
DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"

if $fromhost == '???' and $fromhost-ip == '???' and $hostname ==
'192.168.*' then ?DYNIPmessages
if $fromhost == '???' and $fromhost-ip == '???' and $hostname !=
'192.168.*' then ?DYNUNKNOWNmessages
---

Thanks in advance :-) !
~maymann


2012/2/6 Rainer Gerhards <rgerhards at hq.adiscon.com>

> Please note that HOSTNAME stems back to the message and as such is a
> different property than FROMHOST. It is definitely not the case that when
> FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your
> current environment.
>
> rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann
> > Sent: Saturday, February 04, 2012 9:10 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> >
> > Hi,
> >
> > SOLVED...
> >
> > got it working...:-) !
> >
> > I enabled debugging (David: thanks for the hint) and this was one of
> > the
> > entries:
> > ---
> > Debug line with all properties:
> > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-
> > ',
> > MSGID: '-',
> > TIMESTAMP: 'Feb  4 07:29:40', STRUCTURED-DATA: '-',
> > msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port
> > 2(VID
> > unknown)(769216)'
> > escaped msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device
> > port
> > 2(VID unknown)(769216)'
> > inputname: imudp rawmsg: '<14> Feb  4 07:29:40 <IP> 00828 lldp:  PVID
> > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
> > ---
> > The <IP> from the last line was ofcause the same as in the the
> > logfiles...
> > I confuse this to be a client of a rsyslog-client twice... :-o !
> >
> > I could hereafter easily edit my /etc/rsyslog.conf respectively:
> > ---
> > #SET PRIVILEGES
> > $PreserveFQDN on
> > $PrivDropToGroup <GROUP>
> > $PrivDropToUser <USER>
> > $DirCreateMode 0750
> > $FileCreateMode 0640
> > $UMASK 0027
> >
> > #LOAD MODULES
> > $ModLoad imudp
> > $UDPServerRun 514
> > $UDPServerAddress 127.0.0.1
> > $ModLoad imtcp
> > $InputTCPServerRun 514
> >
> > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
> > enable...)
> > #*.info;mail.none;authpriv.none;cron.none
> > /var/log/messages-debug;RSYSLOG_DebugFormat
> >
> > #SET DESTINATION FOR LOGS
> > $template
> > DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> > $template
> > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> > $template
> > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> >
> > $template
> > DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> > s"
> > $template
> > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> > $template
> > DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
> >
> > #SET LOGGING CONDITIONS
> > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> > ?DYNsecure
> > if $syslogfacility-text == 'mail' and $fromhost != '???' then
> > ?DYNmaillog
> > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> > if $syslogseverity-text == 'crit' and $fromhost != '???' then
> > ?DYNspooler
> > if $syslogfacility-text == 'local7' and $fromhost != '???' then
> > ?DYNboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > and $fromhost != '???' then ?DYNtraps
> >
> > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> > ?DYNIPsecure
> > if $syslogfacility-text == 'mail' and $fromhost == '???' then
> > ?DYNIPmaillog
> > if $syslogfacility-text == 'cron' and $fromhost == '???' then
> > ?DYNIPcron
> > if $syslogseverity-text == 'crit' and $fromhost == '???' then
> > ?DYNIPspooler
> > if $syslogfacility-text == 'local7' and $fromhost == '???' then
> > ?DYNIPboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > and $fromhost == '???' then ?DYNIPtraps
> > ---
> >
> > David+Rainer: thanks for your help... much appreciated...:-) !
> >
> > Br.
> > ~maymann
> >
> > 2012/2/4 <david at lang.hm>
> >
> > > I was actually meaning for you to do this on the server where you are
> > > seeing the ??? show up.
> > >
> > > but this does show that the sending machine thinks it's doing
> > everythig
> > > correcty (assuming the <HOSTNAME> you put in the message below is
> > actually
> > > correct)
> > >
> > > what I would want to see from the server log is one of the messages
> > with
> > > the ??? in it that you are trying to fix.
> > >
> > >
> > > David Lang
> > >
> > > On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >
> > >  Hi,
> > >>
> > >> David: thanks for you reply...:-) !
> > >>
> > >> This is not a known client causing the "???" entries - I don't know
> > the
> > >> ip(s)/hostname(s), and this is why i would like to log IP instead of
> > >> hostname - as my guess is it is a network device without DNS
> > entry...:-( !
> > >>
> > >> Can I troubleshoot on the server somehow similar... or was that the
> > >> intention all along...:-o !
> > >>
> > >> Here is the client-debug output anyways...:
> > >> # cat messages-debug
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 6,
> > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> > PROCID:
> > >> '-', MSGID: '-',
> > >> TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >>
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 46,
> > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > 'rsyslogd',
> > >> PROCID: '-', MSGID: '-',
> > >> TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > >> x-info="
> > >> http://www.rsyslog.com"] (re)start'
> > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > pid="13432"
> > >> x-info="http://www.rsyslog.com**"] (re)start'
> > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > pid="13432"
> > >> x-info="http://www.rsyslog.com**"] (re)start'
> > >>
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 13,
> > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-
> > ',
> > >> MSGID: '-',
> > >> TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
> > >> msg: ' hej'
> > >> escaped msg: ' hej'
> > >> rawmsg: '<13>Feb  3 11:14:30 root: hej'
> > >>
> > >>
> > >> Thanks in advance :-) !
> > >> ~maymann
> > >>
> > >>
> > >> 2012/2/3 <david at lang.hm>
> > >>
> > >>  oops, that should have been RSYSLOG_DebugFormat template.
> > >>>
> > >>> David Lang
> > >>>
> > >>> On Thu, 2 Feb 2012, david at lang.hm wrote:
> > >>>
> > >>>  Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > >>>
> > >>>> From: david at lang.hm
> > >>>>
> > >>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> > >>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
> > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > %IP%
> > >>>>
> > >>>> what does one of these messages look like if you write it out with
> > the
> > >>>> RSYSLOG_DEBUG template?
> > >>>>
> > >>>> David Lang
> > >>>>
> > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >>>>
> > >>>>  Date: Fri, 3 Feb 2012 07:00:26 +0100
> > >>>>
> > >>>>> From: Michael Maymann <michael at maymann.org>
> > >>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> > >>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
> > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > %IP%
> > >>>>>
> > >>>>> Please... Anyone?
> > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael at maymann.org>
> > wrote:
> > >>>>>
> > >>>>>  Hi,
> > >>>>>
> > >>>>>>
> > >>>>>> got it started... but still ??? dir+logfiles are showing up...
> > >>>>>> This is now my rsyslog.conf:
> > >>>>>> #SET PRIVILEGES
> > >>>>>> $PreserveFQDN on
> > >>>>>> $PrivDropToGroup <GROUP>
> > >>>>>> $PrivDropToUser <USER>
> > >>>>>> $DirCreateMode 0750
> > >>>>>> $FileCreateMode 0640
> > >>>>>> $UMASK 0027
> > >>>>>>
> > >>>>>> #LOAD MODULES
> > >>>>>> $ModLoad imudp
> > >>>>>> $UDPServerRun 514
> > >>>>>> $UDPServerAddress 127.0.0.1
> > >>>>>> $ModLoad imtcp
> > >>>>>> $InputTCPServerRun 514
> > >>>>>>
> > >>>>>> #SET DESTINATION FOR LOGS
> > >>>>>> $template
> > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > >>>>>> $MONTH%_messages"
> > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> > >>>>>> *secure"
> > >>>>>> $template
> > >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > >>>>>> _**maillog"
> > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>> cron"
> > >>>>>> $template
> > >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > >>>>>> _**spooler"
> > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>> boot.log"
> > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> > >>>>>> traps"
> > >>>>>>
> > >>>>>> $template
> > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_messages"
> > >>>>>> $template
> > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_secure"
> > >>>>>> $template
> > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_maillog"
> > >>>>>> $template
> > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_cron"
> > >>>>>> $template
> > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_spooler"
> > >>>>>> $template
> > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_boot.log"
> > >>>>>> $template
> > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_traps"
> > >>>>>>
> > >>>>>> #SET LOGGING CONDITIONS
> > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > ?DYNmessages
> > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> > then
> > >>>>>> ?DYNsecure
> > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> > >>>>>> ?DYNmaillog
> > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
> > ?DYNcron
> > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> > >>>>>> ?DYNspooler
> > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> > >>>>>> ?DYNboot
> > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>> 'WARNING'
> > >>>>>> and $fromhost != '???' then ?DYNtraps
> > >>>>>>
> > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > ?DYNIPmessages
> > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> > then
> > >>>>>> ?DYNIPsecure
> > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> > >>>>>> ?DYNIPmaillog
> > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> > >>>>>> ?DYNIPcron
> > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> > >>>>>> ?DYNIPspooler
> > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> > >>>>>> ?DYNIPboot
> > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>> 'WARNING'
> > >>>>>> and $fromhost == '???' then ?DYNIPtraps
> > >>>>>>
> > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> > all
> > >>>>>> creates
> > >>>>>> ??? dir+files...
> > >>>>>> What variable should I use to handle this properly ?
> > >>>>>>
> > >>>>>>
> > >>>>>> Thanks in advance :-) !
> > >>>>>> ~maymann
> > >>>>>>
> > >>>>>> 2012/2/2 Michael Maymann <michael at maymann.org>
> > >>>>>>
> > >>>>>>  Hi,
> > >>>>>>
> > >>>>>>>
> > >>>>>>> David: thanks for your reply...
> > >>>>>>> Here is my new rsyslog.conf:
> > >>>>>>> #SET PRIVILEGES
> > >>>>>>> $PreserveFQDN on
> > >>>>>>> $PrivDropToGroup <GROUP>
> > >>>>>>> $PrivDropToUser <USER>
> > >>>>>>> $DirCreateMode 0750
> > >>>>>>> $FileCreateMode 0640
> > >>>>>>> $UMASK 0027
> > >>>>>>>
> > >>>>>>> #LOAD MODULES
> > >>>>>>> $ModLoad imudp
> > >>>>>>> $UDPServerRun 514
> > >>>>>>> $UDPServerAddress 127.0.0.1
> > >>>>>>> $ModLoad imtcp
> > >>>>>>> $InputTCPServerRun 514
> > >>>>>>>
> > >>>>>>> #SET DESTINATION FOR LOGS
> > >>>>>>> $template
> > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > >>>>>>> $MONTH%_messages"
> > >>>>>>> $template
> > >>>>>>>
> > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>> **secure"
> > >>>>>>>
> > >>>>>>> $template
> > >>>>>>>
> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > >>>>>>> maillog"
> > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>> cron"
> > >>>>>>> $template
> > >>>>>>>
> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > >>>>>>> spooler"
> > >>>>>>> $template
> > >>>>>>>
> > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> > >>>>>>> boot.log"
> > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> > >>>>>>> *traps"
> > >>>>>>>
> > >>>>>>> $template
> > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_messages"
> > >>>>>>> $template
> > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_secure"
> > >>>>>>> $template
> > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_maillog"
> > >>>>>>> $template
> > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_cron"
> > >>>>>>> $template
> > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_spooler"
> > >>>>>>> $template
> > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_boot.log"
> > >>>>>>> $template
> > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_traps"
> > >>>>>>>
> > >>>>>>> #SET LOGGING CONDITIONS
> > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > ?DYNmessages
> > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
> > then
> > >>>>>>> ?DYNsecure
> > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNmaillog
> > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNcron
> > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNspooler
> > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> > then
> > >>>>>>> ?DYNboot
> > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>>> 'WARNING'
> > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> > >>>>>>>
> > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > ?DYNIPmessages
> > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
> > then
> > >>>>>>> ?DYNIPsecure
> > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPmaillog
> > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPcron
> > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPspooler
> > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> > then
> > >>>>>>> ?DYNIPboot
> > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>>> 'WARNING'
> > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > >>>>>>>
> > >>>>>>> but it fails...:
> > >>>>>>> # service rsyslog start
> > >>>>>>> Starting system logger: rsyslogd: run failed with error -2207
> > (see
> > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
> > that
> > >>>>>>> number
> > >>>>>>> means)
> > >>>>>>>                                                          [  OK
> > ]
> > >>>>>>>
> > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > correct or
> > >>>>>>> how
> > >>>>>>> is this done...
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> Thanks in advance :-) !
> > >>>>>>> ~maymann
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> 2012/2/1 <david at lang.hm>
> > >>>>>>>
> > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>>  Hi,
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>> I want to log information about hosts that are not logging
> > with
> > >>>>>>>>> correct
> > >>>>>>>>> HOSTNAME.
> > >>>>>>>>> In my current setup, I get a dir "???" where these host(s)
> > are
> > >>>>>>>>> logging
> > >>>>>>>>> to...
> > >>>>>>>>>
> > >>>>>>>>> I would like to change this to the hosts IP instead,
> > something
> > >>>>>>>>> like:
> > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>  rsyslog cannot do what you are asking. It can't assign a
> > value to
> > >>>>>>>> a
> > >>>>>>>> property.
> > >>>>>>>>
> > >>>>>>>> what you can do is to setup a different template and then if
> > >>>>>>>> %fromhost%
> > >>>>>>>> is your special pattern you can log with this different
> > template.
> > >>>>>>>>
> > >>>>>>>> David Lang
> > >>>>>>>> ______________________________******_________________
> > >>>>>>>> rsyslog mailing list
> > >>>>>>>>
> > http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> > iscon.net/****mailman/listinfo/rsyslog>
> > >>>>>>>>
> > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > discon.net/**mailman/listinfo/rsyslog>
> > >>>>>>>> >
> > >>>>>>>>
> > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > discon.net/mailman/**listinfo/rsyslog>
> > >>>>>>>>
> > <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>>>>>> >
> > >>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>  http://www.rsyslog.com/******professional-
> > services/<http://www.rsyslog.com/****professional-services/>
> > >>>>>>>> <http://**www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>>>>>> >
> > >>>>>>>> <http://**www.rsyslog.com/**professional-
> > **services/<http://www.rsyslog.com/professional-**services/>
> > >>>>>>>> <http:**//www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>> >
> > >>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>   ______________________________****_________________
> > >>>>>>
> > >>>>> rsyslog mailing list
> > >>>>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>>> >
> > >>>>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>>>> >
> > >>>>>
> > >>>>>  ______________________________****_________________
> > >>>>>
> > >>>> rsyslog mailing list
> > >>>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>> >
> > >>>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>>> >
> > >>>>
> > >>>>  ______________________________****_________________
> > >>>>
> > >>> rsyslog mailing list
> > >>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>> >
> > >>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>> >
> > >>>
> > >>>  ______________________________**_________________
> > >> rsyslog mailing list
> > >>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>
> > >>  ______________________________**_________________
> > > rsyslog mailing list
> > >
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > > http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>

More information about the rsyslog mailing list