[rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Feb 6 14:03:43 CET 2012


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Saturday, February 04, 2012 9:27 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> 
> If Rainer creates the instramented version it would still be good to
> see
> what's going on. I would say that for fromhost-ip to be '???' is always
> a
> bug, and if a failed DNS lookup makes the fromhost be '???' instead of
> the
> IP address, I would also consider that a bug.

Yup, I agree here. It's most probably a bug, at least if no message
indicating something malicious goes along with the problem. Rsyslog checks if
it can trust the IP and prefers not to write it if there is proof something
malicious goes on - the ??? then indicate we do not know the actual IP and is
probably the best to be done in that case. See [1], especially the comments,
for details. I have audited the code and do not see anything obviously wrong.
I noticed that there is already a lot of good debug instrumentation present,
so I just added one additional output, which makes it somewhat easier to scan
for failures inside the log file. It also provides the ultimate proof of why
the function indicates failure.

@Michael: You can obtain the new version via the git master branch (let me
know if you have problems obtaining it). Please try it out. We need to see at
least one occurrence of ??? in order to track down what is going on.
 
> It would be good to track down what's actually happening here.
Indeed, especially as this is the prime reason for making separate devel and
stable branches available. ;-)

Rainer
[1]
http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932
8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147
> 
> David Lang
> 
>   On Sat, 4 Feb 2012, Michael
> Maymann wrote:
> 
> > Hi,
> >
> > SOLVED...
> >
> > got it working...:-) !
> >
> > I enabled debugging (David: thanks for the hint) and this was one of
> the
> > entries:
> > ---
> > Debug line with all properties:
> > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID:
> '-',
> > MSGID: '-',
> > TIMESTAMP: 'Feb  4 07:29:40', STRUCTURED-DATA: '-',
> > msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device port
> 2(VID
> > unknown)(769216)'
> > escaped msg: ' lldp:  PVID mismatch on port C2(VID 1)with peer device
> port
> > 2(VID unknown)(769216)'
> > inputname: imudp rawmsg: '<14> Feb  4 07:29:40 <IP> 00828 lldp:  PVID
> > mismatch on port C2(VID 1)with peer device port 2(VID
> unknown)(769216)'
> > ---
> > The <IP> from the last line was ofcause the same as in the the
> logfiles...
> > I confuse this to be a client of a rsyslog-client twice... :-o !
> >
> > I could hereafter easily edit my /etc/rsyslog.conf respectively:
> > ---
> > #SET PRIVILEGES
> > $PreserveFQDN on
> > $PrivDropToGroup <GROUP>
> > $PrivDropToUser <USER>
> > $DirCreateMode 0750
> > $FileCreateMode 0640
> > $UMASK 0027
> >
> > #LOAD MODULES
> > $ModLoad imudp
> > $UDPServerRun 514
> > $UDPServerAddress 127.0.0.1
> > $ModLoad imtcp
> > $InputTCPServerRun 514
> >
> > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in
> to
> > enable...)
> > #*.info;mail.none;authpriv.none;cron.none
> > /var/log/messages-debug;RSYSLOG_DebugFormat
> >
> > #SET DESTINATION FOR LOGS
> > $template
> >
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> > $template
> > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> > $template
> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> >
> > $template
> >
> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> s"
> > $template
> > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> > $template
> >
> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> > $template
> DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> > $template
> >
> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
> >
> > #SET LOGGING CONDITIONS
> > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> ?DYNsecure
> > if $syslogfacility-text == 'mail' and $fromhost != '???' then
> ?DYNmaillog
> > if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> > if $syslogseverity-text == 'crit' and $fromhost != '???' then
> ?DYNspooler
> > if $syslogfacility-text == 'local7' and $fromhost != '???' then
> ?DYNboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > and $fromhost != '???' then ?DYNtraps
> >
> > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> > ?DYNIPsecure
> > if $syslogfacility-text == 'mail' and $fromhost == '???' then
> ?DYNIPmaillog
> > if $syslogfacility-text == 'cron' and $fromhost == '???' then
> ?DYNIPcron
> > if $syslogseverity-text == 'crit' and $fromhost == '???' then
> ?DYNIPspooler
> > if $syslogfacility-text == 'local7' and $fromhost == '???' then
> ?DYNIPboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > and $fromhost == '???' then ?DYNIPtraps
> > ---
> >
> > David+Rainer: thanks for your help... much appreciated...:-) !
> >
> > Br.
> > ~maymann
> >
> > 2012/2/4 <david at lang.hm>
> >
> >> I was actually meaning for you to do this on the server where you
> are
> >> seeing the ??? show up.
> >>
> >> but this does show that the sending machine thinks it's doing
> everythig
> >> correcty (assuming the <HOSTNAME> you put in the message below is
> actually
> >> correct)
> >>
> >> what I would want to see from the server log is one of the messages
> with
> >> the ??? in it that you are trying to fix.
> >>
> >>
> >> David Lang
> >>
> >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>
> >>  Hi,
> >>>
> >>> David: thanks for you reply...:-) !
> >>>
> >>> This is not a known client causing the "???" entries - I don't know
> the
> >>> ip(s)/hostname(s), and this is why i would like to log IP instead
> of
> >>> hostname - as my guess is it is a network device without DNS
> entry...:-( !
> >>>
> >>> Can I troubleshoot on the server somehow similar... or was that the
> >>> intention all along...:-o !
> >>>
> >>> Here is the client-debug output anyways...:
> >>> # cat messages-debug
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 6,
> >>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> >>> '-', MSGID: '-',
> >>> TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> >>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 46,
> >>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> 'rsyslogd',
> >>> PROCID: '-', MSGID: '-',
> >>> TIMESTAMP: 'Feb  3 11:14:24', STRUCTURED-DATA: '-',
> >>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> >>> x-info="
> >>> http://www.rsyslog.com"] (re)start'
> >>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >>> x-info="http://www.rsyslog.com**"] (re)start'
> >>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >>> x-info="http://www.rsyslog.com**"] (re)start'
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 13,
> >>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> '-',
> >>> MSGID: '-',
> >>> TIMESTAMP: 'Feb  3 11:14:30', STRUCTURED-DATA: '-',
> >>> msg: ' hej'
> >>> escaped msg: ' hej'
> >>> rawmsg: '<13>Feb  3 11:14:30 root: hej'
> >>>
> >>>
> >>> Thanks in advance :-) !
> >>> ~maymann
> >>>
> >>>
> >>> 2012/2/3 <david at lang.hm>
> >>>
> >>>  oops, that should have been RSYSLOG_DebugFormat template.
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Thu, 2 Feb 2012, david at lang.hm wrote:
> >>>>
> >>>>  Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> >>>>
> >>>>> From: david at lang.hm
> >>>>>
> >>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> >>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
> >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>>
> >>>>> what does one of these messages look like if you write it out
> with the
> >>>>> RSYSLOG_DEBUG template?
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>>>>
> >>>>>  Date: Fri, 3 Feb 2012 07:00:26 +0100
> >>>>>
> >>>>>> From: Michael Maymann <michael at maymann.org>
> >>>>>> Reply-To: rsyslog-users <rsyslog at lists.adiscon.com>
> >>>>>> To: rsyslog-users <rsyslog at lists.adiscon.com>
> >>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>>>
> >>>>>> Please... Anyone?
> >>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael at maymann.org>
> wrote:
> >>>>>>
> >>>>>>  Hi,
> >>>>>>
> >>>>>>>
> >>>>>>> got it started... but still ??? dir+logfiles are showing up...
> >>>>>>> This is now my rsyslog.conf:
> >>>>>>> #SET PRIVILEGES
> >>>>>>> $PreserveFQDN on
> >>>>>>> $PrivDropToGroup <GROUP>
> >>>>>>> $PrivDropToUser <USER>
> >>>>>>> $DirCreateMode 0750
> >>>>>>> $FileCreateMode 0640
> >>>>>>> $UMASK 0027
> >>>>>>>
> >>>>>>> #LOAD MODULES
> >>>>>>> $ModLoad imudp
> >>>>>>> $UDPServerRun 514
> >>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>> $ModLoad imtcp
> >>>>>>> $InputTCPServerRun 514
> >>>>>>>
> >>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>> $template
> >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>> $MONTH%_messages"
> >>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> >>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> >>>>>>> *secure"
> >>>>>>> $template
> >>>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>>> _**maillog"
> >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> cron"
> >>>>>>> $template
> >>>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>>> _**spooler"
> >>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> boot.log"
> >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>>> traps"
> >>>>>>>
> >>>>>>> $template
> >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_messages"
> >>>>>>> $template
> >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_secure"
> >>>>>>> $template
> >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>>> $template
> >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_cron"
> >>>>>>> $template
> >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>>> $template
> >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_boot.log"
> >>>>>>> $template
> >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_traps"
> >>>>>>>
> >>>>>>> #SET LOGGING CONDITIONS
> >>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> ?DYNmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> then
> >>>>>>> ?DYNsecure
> >>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> >>>>>>> ?DYNmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> >>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> >>>>>>> ?DYNspooler
> >>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> >>>>>>> ?DYNboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and $fromhost != '???' then ?DYNtraps
> >>>>>>>
> >>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> ?DYNIPmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> then
> >>>>>>> ?DYNIPsecure
> >>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> >>>>>>> ?DYNIPmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> >>>>>>> ?DYNIPcron
> >>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> >>>>>>> ?DYNIPspooler
> >>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> >>>>>>> ?DYNIPboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and $fromhost == '???' then ?DYNIPtraps
> >>>>>>>
> >>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> all
> >>>>>>> creates
> >>>>>>> ??? dir+files...
> >>>>>>> What variable should I use to handle this properly ?
> >>>>>>>
> >>>>>>>
> >>>>>>> Thanks in advance :-) !
> >>>>>>> ~maymann
> >>>>>>>
> >>>>>>> 2012/2/2 Michael Maymann <michael at maymann.org>
> >>>>>>>
> >>>>>>>  Hi,
> >>>>>>>
> >>>>>>>>
> >>>>>>>> David: thanks for your reply...
> >>>>>>>> Here is my new rsyslog.conf:
> >>>>>>>> #SET PRIVILEGES
> >>>>>>>> $PreserveFQDN on
> >>>>>>>> $PrivDropToGroup <GROUP>
> >>>>>>>> $PrivDropToUser <USER>
> >>>>>>>> $DirCreateMode 0750
> >>>>>>>> $FileCreateMode 0640
> >>>>>>>> $UMASK 0027
> >>>>>>>>
> >>>>>>>> #LOAD MODULES
> >>>>>>>> $ModLoad imudp
> >>>>>>>> $UDPServerRun 514
> >>>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>>> $ModLoad imtcp
> >>>>>>>> $InputTCPServerRun 514
> >>>>>>>>
> >>>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>>> $template
> >>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>>> $MONTH%_messages"
> >>>>>>>> $template
> >>>>>>>>
> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>>> **secure"
> >>>>>>>>
> >>>>>>>> $template
> >>>>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>>> maillog"
> >>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>>> cron"
> >>>>>>>> $template
> >>>>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>>> spooler"
> >>>>>>>> $template
> >>>>>>>>
> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>>>> boot.log"
> >>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> >>>>>>>> *traps"
> >>>>>>>>
> >>>>>>>> $template
> >>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_messages"
> >>>>>>>> $template
> >>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_secure"
> >>>>>>>> $template
> >>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>>>> $template
> >>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_cron"
> >>>>>>>> $template
> >>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>>>> $template
> >>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_boot.log"
> >>>>>>>> $template
> >>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_traps"
> >>>>>>>>
> >>>>>>>> #SET LOGGING CONDITIONS
> >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> ?DYNmessages
> >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
> then
> >>>>>>>> ?DYNsecure
> >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNmaillog
> >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNcron
> >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNspooler
> >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> then
> >>>>>>>> ?DYNboot
> >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> >>>>>>>> 'WARNING'
> >>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> >>>>>>>>
> >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> ?DYNIPmessages
> >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
> then
> >>>>>>>> ?DYNIPsecure
> >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPmaillog
> >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPcron
> >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPspooler
> >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> then
> >>>>>>>> ?DYNIPboot
> >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> >>>>>>>> 'WARNING'
> >>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> >>>>>>>>
> >>>>>>>> but it fails...:
> >>>>>>>> # service rsyslog start
> >>>>>>>> Starting system logger: rsyslogd: run failed with error -2207
> (see
> >>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
> that
> >>>>>>>> number
> >>>>>>>> means)
> >>>>>>>>                                                          [  OK
> ]
> >>>>>>>>
> >>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> correct or
> >>>>>>>> how
> >>>>>>>> is this done...
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks in advance :-) !
> >>>>>>>> ~maymann
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 2012/2/1 <david at lang.hm>
> >>>>>>>>
> >>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>  Hi,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> I want to log information about hosts that are not logging
> with
> >>>>>>>>>> correct
> >>>>>>>>>> HOSTNAME.
> >>>>>>>>>> In my current setup, I get a dir "???" where these host(s)
> are
> >>>>>>>>>> logging
> >>>>>>>>>> to...
> >>>>>>>>>>
> >>>>>>>>>> I would like to change this to the hosts IP instead,
> something
> >>>>>>>>>> like:
> >>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>  rsyslog cannot do what you are asking. It can't assign a
> value to
> >>>>>>>>> a
> >>>>>>>>> property.
> >>>>>>>>>
> >>>>>>>>> what you can do is to setup a different template and then if
> >>>>>>>>> %fromhost%
> >>>>>>>>> is your special pattern you can log with this different
> template.
> >>>>>>>>>
> >>>>>>>>> David Lang
> >>>>>>>>> ______________________________******_________________
> >>>>>>>>> rsyslog mailing list
> >>>>>>>>>
> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> iscon.net/****mailman/listinfo/rsyslog>
> >>>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/**mailman/listinfo/rsyslog>
> >>>>>>>>>>
> >>>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/mailman/**listinfo/rsyslog>
> >>>>>>>>>
> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>  http://www.rsyslog.com/******professional-
> services/<http://www.rsyslog.com/****professional-services/>
> >>>>>>>>> <http://**www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>>>>>>>
> >>>>>>>>> <http://**www.rsyslog.com/**professional-
> **services/<http://www.rsyslog.com/professional-**services/>
> >>>>>>>>> <http:**//www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>   ______________________________****_________________
> >>>>>>>
> >>>>>> rsyslog mailing list
> >>>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>>
> >>>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>
> >>>>>>
> >>>>>>  ______________________________****_________________
> >>>>>>
> >>>>> rsyslog mailing list
> >>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>
> >>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>>
> >>>>>
> >>>>>  ______________________________****_________________
> >>>>>
> >>>> rsyslog mailing list
> >>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>
> >>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>
> >>>>
> >>>>  ______________________________**_________________
> >>> rsyslog mailing list
> >>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>
> >>>  ______________________________**_________________
> >> rsyslog mailing list
> >>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/



More information about the rsyslog mailing list