[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Rainer Gerhards rgerhards at hq.adiscon.com
Fri Feb 3 17:06:05 CET 2012


Ok - I am right now upgrading a module to the v6 config format, will add some
instrumentation as next step. Probably Monday.

rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 5:03 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> 
> Sure...:-) !
> 
> ~maymann
> 
> 
> 2012/2/3 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 
> > I just checked where the ??? could be routed in. I see one case that
> > happens when the DNS resolution fails.  Would you be willing to run an
> > instrumented build to capture a debug log so that we see when this
> > happens?
> >
> > rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Michael Maymann
> > > Sent: Friday, February 03, 2012 11:24 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > > %IP%
> > >
> > > Hi,
> > >
> > > David: thanks for you reply...:-) !
> > >
> > > This is not a known client causing the "???" entries - I don't know
> > > the ip(s)/hostname(s), and this is why i would like to log IP
> > > instead of
> > hostname -
> > > as my guess is it is a network device without DNS entry...:-( !
> > >
> > > Can I troubleshoot on the server somehow similar... or was that the
> > intention
> > > all along...:-o !
> > >
> > > Here is the client-debug output anyways...:
> > > # cat messages-debug
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 6,
> > > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> > > '-', MSGID: '-',
> > > TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> > > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 46,
> > > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > > 'rsyslogd',
> > > PROCID: '-', MSGID: '-',
> > > TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> > > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > x-info="
> > > http://www.rsyslog.com"] (re)start'
> > > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
> > x-pid="13432"
> > > x-info="http://www.rsyslog.com"] (re)start'
> > > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > > x-info="http://www.rsyslog.com"] (re)start'
> > >
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 13,
> > > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> > > '-',
> > > MSGID: '-',
> > > TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
> > > msg: ' hej'
> > > escaped msg: ' hej'
> > > rawmsg: '<13>Feb  3 11:14:30 root: hej'
> > >
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > >
> > >
> > > 2012/2/3 <david at lang.hm>
> > >
> > > > oops, that should have been RSYSLOG_DebugFormat template.
> > > >
> > > > David Lang
> > > >
> > > > On Thu, 2 Feb 2012, david at lang.hm wrote:
> > > >
> > > >  Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > > >> From: david at lang.hm
> > > >>
> > > >> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> > > >> To: rsyslog-users <rsyslog at lists.adiscon.com>
> > > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > %IP%
> > > >>
> > > >> what does one of these messages look like if you write it out
> > > >> with the RSYSLOG_DEBUG template?
> > > >>
> > > >> David Lang
> > > >>
> > > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > > >>
> > > >>  Date: Fri, 3 Feb 2012 07:00:26 +0100
> > > >>> From: Michael Maymann <michael at maymann.org>
> > > >>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> > > >>> To: rsyslog-users <rsyslog at lists.adiscon.com>
> > > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > >>> %IP%
> > > >>>
> > > >>> Please... Anyone?
> > > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann"
> <michael at maymann.org>
> > > wrote:
> > > >>>
> > > >>>  Hi,
> > > >>>>
> > > >>>> got it started... but still ??? dir+logfiles are showing up...
> > > >>>> This is now my rsyslog.conf:
> > > >>>> #SET PRIVILEGES
> > > >>>> $PreserveFQDN on
> > > >>>> $PrivDropToGroup <GROUP>
> > > >>>> $PrivDropToUser <USER>
> > > >>>> $DirCreateMode 0750
> > > >>>> $FileCreateMode 0640
> > > >>>> $UMASK 0027
> > > >>>>
> > > >>>> #LOAD MODULES
> > > >>>> $ModLoad imudp
> > > >>>> $UDPServerRun 514
> > > >>>> $UDPServerAddress 127.0.0.1
> > > >>>> $ModLoad imtcp
> > > >>>> $InputTCPServerRun 514
> > > >>>>
> > > >>>> #SET DESTINATION FOR LOGS
> > > >>>> $template
> > > >>>>
> > >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>> $MONTH%_messages"
> > > >>>> $template
> > > >>>>
> > >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_*
> > > >>>> *secure"
> > > >>>> $template
> > > >>>>
> > >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**maillog"
> > > >>>> $template
> > > >>>>
> > >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> cron"
> > > >>>> $template
> > > >>>>
> > >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**spooler"
> > > >>>> $template
> > > >>>>
> > >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> boot.log"
> > > >>>> $template
> > > >>>>
> > >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> traps"
> > > >>>>
> > > >>>> $template
> > > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_messages"
> > > >>>> $template
> > > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_secure"
> > > >>>> $template
> > > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_maillog"
> > > >>>> $template
> > > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_cron"
> > > >>>> $template
> > > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_spooler"
> > > >>>> $template
> > > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_boot.log"
> > > >>>> $template
> > > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_traps"
> > > >>>>
> > > >>>> #SET LOGGING CONDITIONS
> > > >>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text ==
'mail'
> and $fromhost != '???'
> > > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and
> > > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text ==
> > > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if
> > > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then
> > > >>>> ?DYNboot if $syslogfacility-text == 'local6' and
$syslogseverity-text
> == 'WARNING'
> > > >>>> and $fromhost != '???' then ?DYNtraps
> > > >>>>
> > > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text ==
> > > >>>> 'mail' and $fromhost == '???' then ?DYNIPmaillog if
> > > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then
> > > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost ==
> > > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> > > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text
> > > >>>> == 'local6' and $syslogseverity-text == 'WARNING'
> > > >>>> and $fromhost == '???' then ?DYNIPtraps
> > > >>>>
> > > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> > > >>>> all creates ??? dir+files...
> > > >>>> What variable should I use to handle this properly ?
> > > >>>>
> > > >>>>
> > > >>>> Thanks in advance :-) !
> > > >>>> ~maymann
> > > >>>>
> > > >>>> 2012/2/2 Michael Maymann <michael at maymann.org>
> > > >>>>
> > > >>>>  Hi,
> > > >>>>>
> > > >>>>> David: thanks for your reply...
> > > >>>>> Here is my new rsyslog.conf:
> > > >>>>> #SET PRIVILEGES
> > > >>>>> $PreserveFQDN on
> > > >>>>> $PrivDropToGroup <GROUP>
> > > >>>>> $PrivDropToUser <USER>
> > > >>>>> $DirCreateMode 0750
> > > >>>>> $FileCreateMode 0640
> > > >>>>> $UMASK 0027
> > > >>>>>
> > > >>>>> #LOAD MODULES
> > > >>>>> $ModLoad imudp
> > > >>>>> $UDPServerRun 514
> > > >>>>> $UDPServerAddress 127.0.0.1
> > > >>>>> $ModLoad imtcp
> > > >>>>> $InputTCPServerRun 514
> > > >>>>>
> > > >>>>> #SET DESTINATION FOR LOGS
> > > >>>>> $template
> > > >>>>>
> > >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>>> $MONTH%_messages"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**secure"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**
> > > >>>>> maillog"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>>> cron"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**
> > > >>>>> spooler"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**boot.log"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_*
> > > >>>>> *traps"
> > > >>>>>
> > > >>>>> $template
> > > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_messages"
> > > >>>>> $template
> > > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_secure"
> > > >>>>> $template
> > > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_maillog"
> > > >>>>> $template
> > > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_cron"
> > > >>>>> $template
> > > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_spooler"
> > > >>>>> $template
> > > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_boot.log"
> > > >>>>> $template
> > > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_traps"
> > > >>>>>
> > > >>>>> #SET LOGGING CONDITIONS
> > > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text ==
> > > >>>>> 'mail' and %FROMHOST% != '???' then ?DYNmaillog if
> > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> > > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% !=
> > > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
> > > >>>>> %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text ==
> > > >>>>> 'local6' and $syslogseverity-text == 'WARNING'
> > > >>>>> and %FROMHOST% != '???' then ?DYNtraps
> > > >>>>>
> > > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text
> > > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
> > > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> > > >>>>> and %FROMHOST% == '???' then ?DYNIPboot if
> > > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > > >>>>>
> > > >>>>> but it fails...:
> > > >>>>> # service rsyslog start
> > > >>>>> Starting system logger: rsyslogd: run failed with error -2207
> > > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn
> > > >>>>> what that number
> > > >>>>> means)
> > > >>>>>                                                           [
> > > >>>>> OK  ]
> > > >>>>>
> > > >>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > > >>>>> correct or how is this done...
> > > >>>>>
> > > >>>>>
> > > >>>>> Thanks in advance :-) !
> > > >>>>> ~maymann
> > > >>>>>
> > > >>>>>
> > > >>>>> 2012/2/1 <david at lang.hm>
> > > >>>>>
> > > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > > >>>>>
> > > >>>>>>
> > > >>>>>>  Hi,
> > > >>>>>>
> > > >>>>>>>
> > > >>>>>>> I want to log information about hosts that are not logging
> > > >>>>>>> with correct HOSTNAME.
> > > >>>>>>> In my current setup, I get a dir "???" where these host(s)
> > > >>>>>>> are logging to...
> > > >>>>>>>
> > > >>>>>>> I would like to change this to the hosts IP instead,
> > > >>>>>>> something
> > like:
> > > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>> rsyslog cannot do what you are asking. It can't assign a
> > > >>>>>> value to a property.
> > > >>>>>>
> > > >>>>>> what you can do is to setup a different template and then if
> > > >>>>>> %fromhost% is your special pattern you can log with this
> > > >>>>>> different template.
> > > >>>>>>
> > > >>>>>> David Lang
> > > >>>>>>
> ______________________________****_________________
> > > >>>>>> rsyslog mailing list
> > > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://
> > > >>>>>> list s.adiscon.net/**mailman/listinfo/rsyslog>
> > > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http:/
> > > >>>>>> /lis ts.adiscon.net/mailman/listinfo/rsyslog>
> > > >>>>>> >
> > > >>>>>> http://www.rsyslog.com/****professional-
> > > services/<http://www.rsys
> > > >>>>>> log.com/**professional-services/>
> > > >>>>>> <http://**www.rsyslog.com/professional-
> > > **services/<http://www.rsy
> > > >>>>>> slog.com/professional-services/>
> > > >>>>>> >
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>>
> > > >>>>  ______________________________**_________________
> > > >>> rsyslog mailing list
> > > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists
> > > >>> .adi scon.net/mailman/listinfo/rsyslog>
> > > >>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.c
> > > >>> om/professional-services/>
> > > >>>
> > > >>>  ______________________________**_________________
> > > >> rsyslog mailing list
> > > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.
> > > >> adis con.net/mailman/listinfo/rsyslog>
> > > >> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.co
> > > >> m/professional-services/>
> > > >>
> > > >>  ______________________________**_________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.a
> > > > disc
> > > > on.net/mailman/listinfo/rsyslog>
> > > > http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com
> > > > /professional-services/>
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/



More information about the rsyslog mailing list