[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Michael Maymann michael at maymann.org
Fri Feb 3 17:05:38 CET 2012


Perhaps we could also figure this <PrivDropToUser>-thing out at the same
time...:-) !

~maymann

2012/2/3 Michael Maymann <michael at maymann.org>

> Sure...:-) !
>
> ~maymann
>
>
>
> 2012/2/3 Rainer Gerhards <rgerhards at hq.adiscon.com>
>
>> I just checked where the ??? could be routed in. I see one case that
>> happens
>> when the DNS resolution fails.  Would you be willing to run an
>> instrumented
>> build to capture a debug log so that we see when this happens?
>>
>> rainer
>>
>> > -----Original Message-----
>> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> > bounces at lists.adiscon.com] On Behalf Of Michael Maymann
>> > Sent: Friday, February 03, 2012 11:24 AM
>> > To: rsyslog-users
>> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>> >
>> > Hi,
>> >
>> > David: thanks for you reply...:-) !
>> >
>> > This is not a known client causing the "???" entries - I don't know the
>> > ip(s)/hostname(s), and this is why i would like to log IP instead of
>> hostname -
>> > as my guess is it is a network device without DNS entry...:-( !
>> >
>> > Can I troubleshoot on the server somehow similar... or was that the
>> intention
>> > all along...:-o !
>> >
>> > Here is the client-debug output anyways...:
>> > # cat messages-debug
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 6,
>> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>> > '-', MSGID: '-',
>> > TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
>> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> >
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 46,
>> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>> > PROCID: '-', MSGID: '-',
>> > TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
>> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> x-info="
>> > http://www.rsyslog.com"] (re)start'
>> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
>> x-pid="13432"
>> > x-info="http://www.rsyslog.com"] (re)start'
>> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> > x-info="http://www.rsyslog.com"] (re)start'
>> >
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 13,
>> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
>> > MSGID: '-',
>> > TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
>> > msg: ' hej'
>> > escaped msg: ' hej'
>> > rawmsg: '<13>Feb  3 11:14:30 root: hej'
>> >
>> >
>> > Thanks in advance :-) !
>> > ~maymann
>> >
>> >
>> > 2012/2/3 <david at lang.hm>
>> >
>> > > oops, that should have been RSYSLOG_DebugFormat template.
>> > >
>> > > David Lang
>> > >
>> > > On Thu, 2 Feb 2012, david at lang.hm wrote:
>> > >
>> > >  Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>> > >> From: david at lang.hm
>> > >>
>> > >> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> > >> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> > %IP%
>> > >>
>> > >> what does one of these messages look like if you write it out with
>> > >> the RSYSLOG_DEBUG template?
>> > >>
>> > >> David Lang
>> > >>
>> > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
>> > >>
>> > >>  Date: Fri, 3 Feb 2012 07:00:26 +0100
>> > >>> From: Michael Maymann <michael at maymann.org>
>> > >>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
>> > >>> To: rsyslog-users <rsyslog at lists.adiscon.com>
>> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> > >>> %IP%
>> > >>>
>> > >>> Please... Anyone?
>> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael at maymann.org>
>> > wrote:
>> > >>>
>> > >>>  Hi,
>> > >>>>
>> > >>>> got it started... but still ??? dir+logfiles are showing up...
>> > >>>> This is now my rsyslog.conf:
>> > >>>> #SET PRIVILEGES
>> > >>>> $PreserveFQDN on
>> > >>>> $PrivDropToGroup <GROUP>
>> > >>>> $PrivDropToUser <USER>
>> > >>>> $DirCreateMode 0750
>> > >>>> $FileCreateMode 0640
>> > >>>> $UMASK 0027
>> > >>>>
>> > >>>> #LOAD MODULES
>> > >>>> $ModLoad imudp
>> > >>>> $UDPServerRun 514
>> > >>>> $UDPServerAddress 127.0.0.1
>> > >>>> $ModLoad imtcp
>> > >>>> $InputTCPServerRun 514
>> > >>>>
>> > >>>> #SET DESTINATION FOR LOGS
>> > >>>> $template
>> > >>>>
>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > >>>> $MONTH%_messages"
>> > >>>> $template
>> > >>>>
>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_*
>> > >>>> *secure"
>> > >>>> $template
>> > >>>>
>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**maillog"
>> > >>>> $template
>> > >>>>
>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> cron"
>> > >>>> $template
>> > >>>>
>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**spooler"
>> > >>>> $template
>> > >>>>
>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> boot.log"
>> > >>>> $template
>> > >>>>
>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> traps"
>> > >>>>
>> > >>>> $template
>> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_messages"
>> > >>>> $template
>> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_secure"
>> > >>>> $template
>> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_maillog"
>> > >>>> $template
>> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_cron"
>> > >>>> $template
>> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_spooler"
>> > >>>> $template
>> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_boot.log"
>> > >>>> $template
>> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_traps"
>> > >>>>
>> > >>>> #SET LOGGING CONDITIONS
>> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>> > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>> > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???'
>> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost !=
>> > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost
>> > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
>> > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text ==
>> > >>>> 'local6' and $syslogseverity-text == 'WARNING'
>> > >>>> and $fromhost != '???' then ?DYNtraps
>> > >>>>
>> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
>> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost
>> > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and
>> > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text ==
>> > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if
>> > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then
>> > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost ==
>> > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and
>> > >>>> $syslogseverity-text == 'WARNING'
>> > >>>> and $fromhost == '???' then ?DYNIPtraps
>> > >>>>
>> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>> > >>>> creates ??? dir+files...
>> > >>>> What variable should I use to handle this properly ?
>> > >>>>
>> > >>>>
>> > >>>> Thanks in advance :-) !
>> > >>>> ~maymann
>> > >>>>
>> > >>>> 2012/2/2 Michael Maymann <michael at maymann.org>
>> > >>>>
>> > >>>>  Hi,
>> > >>>>>
>> > >>>>> David: thanks for your reply...
>> > >>>>> Here is my new rsyslog.conf:
>> > >>>>> #SET PRIVILEGES
>> > >>>>> $PreserveFQDN on
>> > >>>>> $PrivDropToGroup <GROUP>
>> > >>>>> $PrivDropToUser <USER>
>> > >>>>> $DirCreateMode 0750
>> > >>>>> $FileCreateMode 0640
>> > >>>>> $UMASK 0027
>> > >>>>>
>> > >>>>> #LOAD MODULES
>> > >>>>> $ModLoad imudp
>> > >>>>> $UDPServerRun 514
>> > >>>>> $UDPServerAddress 127.0.0.1
>> > >>>>> $ModLoad imtcp
>> > >>>>> $InputTCPServerRun 514
>> > >>>>>
>> > >>>>> #SET DESTINATION FOR LOGS
>> > >>>>> $template
>> > >>>>>
>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > >>>>> $MONTH%_messages"
>> > >>>>> $template
>> > >>>>>
>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**secure"
>> > >>>>> $template
>> > >>>>>
>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >>>>> maillog"
>> > >>>>> $template
>> > >>>>>
>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>>> cron"
>> > >>>>> $template
>> > >>>>>
>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >>>>> spooler"
>> > >>>>> $template
>> > >>>>>
>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**boot.log"
>> > >>>>> $template
>> > >>>>>
>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_*
>> > >>>>> *traps"
>> > >>>>>
>> > >>>>> $template
>> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_messages"
>> > >>>>> $template
>> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_secure"
>> > >>>>> $template
>> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_maillog"
>> > >>>>> $template
>> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_cron"
>> > >>>>> $template
>> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_spooler"
>> > >>>>> $template
>> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_boot.log"
>> > >>>>> $template
>> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_traps"
>> > >>>>>
>> > >>>>> #SET LOGGING CONDITIONS
>> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
>> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST%
>> > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and
>> > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text ==
>> > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if
>> > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>> > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% !=
>> > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and
>> > >>>>> $syslogseverity-text == 'WARNING'
>> > >>>>> and %FROMHOST% != '???' then ?DYNtraps
>> > >>>>>
>> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
>> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
>> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text ==
>> > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
>> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
>> > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and
>> > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text ==
>> > >>>>> 'local6' and $syslogseverity-text == 'WARNING'
>> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>> > >>>>>
>> > >>>>> but it fails...:
>> > >>>>> # service rsyslog start
>> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>> > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>> > >>>>> number
>> > >>>>> means)
>> > >>>>>                                                           [  OK  ]
>> > >>>>>
>> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct
>> > >>>>> or how is this done...
>> > >>>>>
>> > >>>>>
>> > >>>>> Thanks in advance :-) !
>> > >>>>> ~maymann
>> > >>>>>
>> > >>>>>
>> > >>>>> 2012/2/1 <david at lang.hm>
>> > >>>>>
>> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>> > >>>>>
>> > >>>>>>
>> > >>>>>>  Hi,
>> > >>>>>>
>> > >>>>>>>
>> > >>>>>>> I want to log information about hosts that are not logging with
>> > >>>>>>> correct HOSTNAME.
>> > >>>>>>> In my current setup, I get a dir "???" where these host(s) are
>> > >>>>>>> logging to...
>> > >>>>>>>
>> > >>>>>>> I would like to change this to the hosts IP instead, something
>> like:
>> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to
>> > >>>>>> a property.
>> > >>>>>>
>> > >>>>>> what you can do is to setup a different template and then if
>> > >>>>>> %fromhost% is your special pattern you can log with this
>> > >>>>>> different template.
>> > >>>>>>
>> > >>>>>> David Lang
>> > >>>>>> ______________________________****_________________
>> > >>>>>> rsyslog mailing list
>> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<
>> http://list
>> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
>> > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<
>> http://lis
>> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
>> > >>>>>> >
>> > >>>>>> http://www.rsyslog.com/****professional-
>> > services/<http://www.rsys
>> > >>>>>> log.com/**professional-services/>
>> > >>>>>> <http://**www.rsyslog.com/professional-
>> > **services/<http://www.rsy
>> > >>>>>> slog.com/professional-services/>
>> > >>>>>> >
>> > >>>>>>
>> > >>>>>>
>> > >>>>>
>> > >>>>>
>> > >>>>  ______________________________**_________________
>> > >>> rsyslog mailing list
>> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adi
>> > >>> scon.net/mailman/listinfo/rsyslog>
>> > >>> http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.c
>> > >>> om/professional-services/>
>> > >>>
>> > >>>  ______________________________**_________________
>> > >> rsyslog mailing list
>> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adis
>> > >> con.net/mailman/listinfo/rsyslog>
>> > >> http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.co
>> > >> m/professional-services/>
>> > >>
>> > >>  ______________________________**_________________
>> > > rsyslog mailing list
>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adisc
>> > > on.net/mailman/listinfo/rsyslog>
>> > > http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.com
>> > > /professional-services/>
>> > >
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>>
>
>



More information about the rsyslog mailing list