[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Michael Maymann michael at maymann.org
Fri Feb 3 07:00:26 CET 2012


Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael at maymann.org> wrote:

> Hi,
>
> got it started... but still ??? dir+logfiles are showing up...
> This is now my rsyslog.conf:
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> ?DYNsecure
> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
> if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost == '???' then ?DYNIPtraps
>
> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
> ??? dir+files...
> What variable should I use to handle this properly ?
>
>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael at maymann.org>
>
>> Hi,
>>
>> David: thanks for your reply...
>> Here is my new rsyslog.conf:
>> #SET PRIVILEGES
>> $PreserveFQDN on
>> $PrivDropToGroup <GROUP>
>> $PrivDropToUser <USER>
>> $DirCreateMode 0750
>> $FileCreateMode 0640
>> $UMASK 0027
>>
>> #LOAD MODULES
>> $ModLoad imudp
>> $UDPServerRun 514
>> $UDPServerAddress 127.0.0.1
>> $ModLoad imtcp
>> $InputTCPServerRun 514
>>
>> #SET DESTINATION FOR LOGS
>> $template
>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>> $template
>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>> $template
>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>
>> $template
>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>> $template
>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>> $template
>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>> $template
>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>> $template
>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>
>> #SET LOGGING CONDITIONS
>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>> ?DYNsecure
>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and %FROMHOST% != '???' then ?DYNtraps
>>
>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>> ?DYNIPsecure
>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>> ?DYNIPmaillog
>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>> ?DYNIPspooler
>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>> ?DYNIPboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and %FROMHOST% == '???' then ?DYNIPtraps
>>
>> but it fails...:
>> # service rsyslog start
>> Starting system logger: rsyslogd: run failed with error -2207 (see
>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
>> means)
>>                                                            [  OK  ]
>>
>> my guess is it is my %FROMHOST% == '???' - is this format correct or how
>> is this done...
>>
>>
>> Thanks in advance :-) !
>> ~maymann
>>
>>
>> 2012/2/1 <david at lang.hm>
>>
>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>
>>>  Hi,
>>>>
>>>> I want to log information about hosts that are not logging with correct
>>>> HOSTNAME.
>>>> In my current setup, I get a dir "???" where these host(s) are logging
>>>> to...
>>>>
>>>> I would like to change this to the hosts IP instead, something like:
>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>
>>>
>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>> property.
>>>
>>> what you can do is to setup a different template and then if %fromhost%
>>> is your special pattern you can log with this different template.
>>>
>>> David Lang
>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>
>>
>



More information about the rsyslog mailing list