Mailing List Archive: RSyslog: users

if %FROMHOST% == '???' then %FROMHOST% == %IP%

Index | Next | Previous | View Threaded

michael at maymann

Feb 1, 2012, 3:48 AM

Post #1 of 25 (340 views)
Permalink

if %FROMHOST% == '???' then %FROMHOST% == %IP%

Hi,

I want to log information about hosts that are not logging with correct
HOSTNAME.
In my current setup, I get a dir "???" where these host(s) are logging to...

I would like to change this to the hosts IP instead, something like:
if %FROMHOST% == '???' then %FROMHOST% == %IP

But don't know the correct format...
Anyone who can help ?

Thanks in advance :-) !
~maymann
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 1, 2012, 10:50 AM

Post #2 of 25 (335 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

On Wed, 1 Feb 2012, Michael Maymann wrote:

> Hi,
>
> I want to log information about hosts that are not logging with correct
> HOSTNAME.
> In my current setup, I get a dir "???" where these host(s) are logging to...
>
> I would like to change this to the hosts IP instead, something like:
> if %FROMHOST% == '???' then %FROMHOST% == %IP

rsyslog cannot do what you are asking. It can't assign a value to a
property.

what you can do is to setup a different template and then if %fromhost% is
your special pattern you can log with this different template.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 1, 2012, 10:51 AM

Post #3 of 25 (335 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

michael at maymann

Feb 2, 2012, 12:48 AM

Post #4 of 25 (336 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi,

David: thanks for your reply...
Here is my new rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
?DYNsecure
if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and %FROMHOST% != '???' then ?DYNtraps

if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and %FROMHOST% == '???' then ?DYNIPtraps

but it fails...:
# service rsyslog start
Starting system logger: rsyslogd: run failed with error -2207 (see
rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
means)
[ OK ]

my guess is it is my %FROMHOST% == '???' - is this format correct or how is
this done...

Thanks in advance :-) !
~maymann

2012/2/1 <david [at] lang>

> On Wed, 1 Feb 2012, Michael Maymann wrote:
>
> Hi,
>>
>> I want to log information about hosts that are not logging with correct
>> HOSTNAME.
>> In my current setup, I get a dir "???" where these host(s) are logging
>> to...
>>
>> I would like to change this to the hosts IP instead, something like:
>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>
>
> rsyslog cannot do what you are asking. It can't assign a value to a
> property.
>
> what you can do is to setup a different template and then if %fromhost% is
> your special pattern you can log with this different template.
>
> David Lang
> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 5:17 AM

Post #5 of 25 (341 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi,

got it started... but still ??? dir+logfiles are showing up...
This is now my rsyslog.conf:
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#SET DESTINATION FOR LOGS
$template
DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
$template
DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost == '???' then ?DYNIPtraps

I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
??? dir+files...
What variable should I use to handle this properly ?

Thanks in advance :-) !
~maymann

2012/2/2 Michael Maymann <michael [at] maymann>

> Hi,
>
> David: thanks for your reply...
> Here is my new rsyslog.conf:
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
> ?DYNsecure
> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and %FROMHOST% != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> ?DYNIPspooler
> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and %FROMHOST% == '???' then ?DYNIPtraps
>
> but it fails...:
> # service rsyslog start
> Starting system logger: rsyslogd: run failed with error -2207 (see
> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
> means)
> [ OK ]
>
> my guess is it is my %FROMHOST% == '???' - is this format correct or how
> is this done...
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/1 <david [at] lang>
>
> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>
>> Hi,
>>>
>>> I want to log information about hosts that are not logging with correct
>>> HOSTNAME.
>>> In my current setup, I get a dir "???" where these host(s) are logging
>>> to...
>>>
>>> I would like to change this to the hosts IP instead, something like:
>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>
>>
>> rsyslog cannot do what you are asking. It can't assign a value to a
>> property.
>>
>> what you can do is to setup a different template and then if %fromhost%
>> is your special pattern you can log with this different template.
>>
>> David Lang
>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 2, 2012, 10:00 PM

Post #6 of 25 (342 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Please... Anyone?
On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:

> Hi,
>
> got it started... but still ??? dir+logfiles are showing up...
> This is now my rsyslog.conf:
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> ?DYNsecure
> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
> if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost == '???' then ?DYNIPtraps
>
> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
> ??? dir+files...
> What variable should I use to handle this properly ?
>
>
> Thanks in advance :-) !
> ~maymann
>
> 2012/2/2 Michael Maymann <michael [at] maymann>
>
>> Hi,
>>
>> David: thanks for your reply...
>> Here is my new rsyslog.conf:
>> #SET PRIVILEGES
>> $PreserveFQDN on
>> $PrivDropToGroup <GROUP>
>> $PrivDropToUser <USER>
>> $DirCreateMode 0750
>> $FileCreateMode 0640
>> $UMASK 0027
>>
>> #LOAD MODULES
>> $ModLoad imudp
>> $UDPServerRun 514
>> $UDPServerAddress 127.0.0.1
>> $ModLoad imtcp
>> $InputTCPServerRun 514
>>
>> #SET DESTINATION FOR LOGS
>> $template
>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>> $template
>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>> $template
>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>
>> $template
>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>> $template
>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>> $template
>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>> $template
>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>> $template
>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>
>> #SET LOGGING CONDITIONS
>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>> ?DYNsecure
>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and %FROMHOST% != '???' then ?DYNtraps
>>
>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>> ?DYNIPsecure
>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>> ?DYNIPmaillog
>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>> ?DYNIPspooler
>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>> ?DYNIPboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and %FROMHOST% == '???' then ?DYNIPtraps
>>
>> but it fails...:
>> # service rsyslog start
>> Starting system logger: rsyslogd: run failed with error -2207 (see
>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
>> means)
>> [ OK ]
>>
>> my guess is it is my %FROMHOST% == '???' - is this format correct or how
>> is this done...
>>
>>
>> Thanks in advance :-) !
>> ~maymann
>>
>>
>> 2012/2/1 <david [at] lang>
>>
>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>
>>> Hi,
>>>>
>>>> I want to log information about hosts that are not logging with correct
>>>> HOSTNAME.
>>>> In my current setup, I get a dir "???" where these host(s) are logging
>>>> to...
>>>>
>>>> I would like to change this to the hosts IP instead, something like:
>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>
>>>
>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>> property.
>>>
>>> what you can do is to setup a different template and then if %fromhost%
>>> is your special pattern you can log with this different template.
>>>
>>> David Lang
>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>
>>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

radu0gheorghe at gmail

Feb 2, 2012, 10:40 PM

Post #7 of 25 (334 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

2012/2/3 Michael Maymann <michael [at] maymann>:
> Please... Anyone?

I don't think I would be of much help, but here's what I would do:
1. Maybe "???" is not actually the returned string. I would try to
print that in the file (just put it in the template and see if it's
the real string. If it's not, that would explain the behavior. Or
maybe you need to escape it or something.
2. In case I just couldn't solve the problem, I would look at it from
a different angle. Basically, there should be two possibilities:
a. The IPs of logging hosts are changing. In which case you need to
have them report their hostname. Otherwise, there's no point archiving
logs with their IP, because you wouldn't know afterwards which logs
belong to which machine. Once you have that, you can log only based on
$FROMHOST
b. If IPs are more static (or you have a way to determine which IP
belongs to which machine you're looking for when you search the logs),
then you could just log based on $FROMHOST-IP. And maybe you can make
a helper script that would help you find the right logs when you want
to look at them.

Regarding your question:
> What variable should I use to handle this properly ?

By looking here:
http://www.rsyslog.com/doc/property_replacer.html

It seems to be that you're using the right variables :)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 2, 2012, 10:44 PM

Post #8 of 25 (334 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

what does one of these messages look like if you write it out with the
RSYSLOG_DEBUG template?

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

> Date: Fri, 3 Feb 2012 07:00:26 +0100
> From: Michael Maymann <michael [at] maymann>
> Reply-To: rsyslog-users <rsyslog [at] lists>
> To: rsyslog-users <rsyslog [at] lists>
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Please... Anyone?
> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>
>> Hi,
>>
>> got it started... but still ??? dir+logfiles are showing up...
>> This is now my rsyslog.conf:
>> #SET PRIVILEGES
>> $PreserveFQDN on
>> $PrivDropToGroup <GROUP>
>> $PrivDropToUser <USER>
>> $DirCreateMode 0750
>> $FileCreateMode 0640
>> $UMASK 0027
>>
>> #LOAD MODULES
>> $ModLoad imudp
>> $UDPServerRun 514
>> $UDPServerAddress 127.0.0.1
>> $ModLoad imtcp
>> $InputTCPServerRun 514
>>
>> #SET DESTINATION FOR LOGS
>> $template
>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>> $template DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>> $template DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>
>> $template
>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>> $template
>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>> $template
>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>> $template
>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>> $template
>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>> $template
>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>> $template
>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>
>> #SET LOGGING CONDITIONS
>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>> ?DYNsecure
>> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and $fromhost != '???' then ?DYNtraps
>>
>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>> ?DYNIPsecure
>> if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
>> if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
>> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and $fromhost == '???' then ?DYNIPtraps
>>
>> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
>> ??? dir+files...
>> What variable should I use to handle this properly ?
>>
>>
>> Thanks in advance :-) !
>> ~maymann
>>
>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>
>>> Hi,
>>>
>>> David: thanks for your reply...
>>> Here is my new rsyslog.conf:
>>> #SET PRIVILEGES
>>> $PreserveFQDN on
>>> $PrivDropToGroup <GROUP>
>>> $PrivDropToUser <USER>
>>> $DirCreateMode 0750
>>> $FileCreateMode 0640
>>> $UMASK 0027
>>>
>>> #LOAD MODULES
>>> $ModLoad imudp
>>> $UDPServerRun 514
>>> $UDPServerAddress 127.0.0.1
>>> $ModLoad imtcp
>>> $InputTCPServerRun 514
>>>
>>> #SET DESTINATION FOR LOGS
>>> $template
>>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>>> $template
>>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>>
>>> $template
>>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>>> $template
>>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>>> $template
>>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>>> $template
>>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>>
>>> #SET LOGGING CONDITIONS
>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>> ?DYNsecure
>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then ?DYNmaillog
>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then ?DYNspooler
>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>> and %FROMHOST% != '???' then ?DYNtraps
>>>
>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>> ?DYNIPsecure
>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>> ?DYNIPmaillog
>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>> ?DYNIPspooler
>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>> ?DYNIPboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>
>>> but it fails...:
>>> # service rsyslog start
>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
>>> means)
>>> [ OK ]
>>>
>>> my guess is it is my %FROMHOST% == '???' - is this format correct or how
>>> is this done...
>>>
>>>
>>> Thanks in advance :-) !
>>> ~maymann
>>>
>>>
>>> 2012/2/1 <david [at] lang>
>>>
>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> I want to log information about hosts that are not logging with correct
>>>>> HOSTNAME.
>>>>> In my current setup, I get a dir "???" where these host(s) are logging
>>>>> to...
>>>>>
>>>>> I would like to change this to the hosts IP instead, something like:
>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>
>>>>
>>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>>> property.
>>>>
>>>> what you can do is to setup a different template and then if %fromhost%
>>>> is your special pattern you can log with this different template.
>>>>
>>>> David Lang
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>
>>>
>>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 3, 2012, 1:48 AM

Post #9 of 25 (338 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

oops, that should have been RSYSLOG_DebugFormat template.

David Lang

On Thu, 2 Feb 2012, david [at] lang wrote:

> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> From: david [at] lang
> Reply-To: rsyslog-users <rsyslog [at] lists>
> To: rsyslog-users <rsyslog [at] lists>
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> what does one of these messages look like if you write it out with the
> RSYSLOG_DEBUG template?
>
> David Lang
>
> On Fri, 3 Feb 2012, Michael Maymann wrote:
>
>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>> From: Michael Maymann <michael [at] maymann>
>> Reply-To: rsyslog-users <rsyslog [at] lists>
>> To: rsyslog-users <rsyslog [at] lists>
>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>
>> Please... Anyone?
>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>>
>>> Hi,
>>>
>>> got it started... but still ??? dir+logfiles are showing up...
>>> This is now my rsyslog.conf:
>>> #SET PRIVILEGES
>>> $PreserveFQDN on
>>> $PrivDropToGroup <GROUP>
>>> $PrivDropToUser <USER>
>>> $DirCreateMode 0750
>>> $FileCreateMode 0640
>>> $UMASK 0027
>>>
>>> #LOAD MODULES
>>> $ModLoad imudp
>>> $UDPServerRun 514
>>> $UDPServerAddress 127.0.0.1
>>> $ModLoad imtcp
>>> $InputTCPServerRun 514
>>>
>>> #SET DESTINATION FOR LOGS
>>> $template
>>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>>> $template
>>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>>
>>> $template
>>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>>> $template
>>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>>> $template
>>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>>> $template
>>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>>
>>> #SET LOGGING CONDITIONS
>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>> ?DYNsecure
>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>> and $fromhost != '???' then ?DYNtraps
>>>
>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>> ?DYNIPsecure
>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>> ?DYNIPmaillog
>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>> ?DYNIPspooler
>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>> and $fromhost == '???' then ?DYNIPtraps
>>>
>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all creates
>>> ??? dir+files...
>>> What variable should I use to handle this properly ?
>>>
>>>
>>> Thanks in advance :-) !
>>> ~maymann
>>>
>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>
>>>> Hi,
>>>>
>>>> David: thanks for your reply...
>>>> Here is my new rsyslog.conf:
>>>> #SET PRIVILEGES
>>>> $PreserveFQDN on
>>>> $PrivDropToGroup <GROUP>
>>>> $PrivDropToUser <USER>
>>>> $DirCreateMode 0750
>>>> $FileCreateMode 0640
>>>> $UMASK 0027
>>>>
>>>> #LOAD MODULES
>>>> $ModLoad imudp
>>>> $UDPServerRun 514
>>>> $UDPServerAddress 127.0.0.1
>>>> $ModLoad imtcp
>>>> $InputTCPServerRun 514
>>>>
>>>> #SET DESTINATION FOR LOGS
>>>> $template
>>>> DYNmessages,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>>>> $template
>>>> DYNsecure,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>>>> $template
>>>> DYNmaillog,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>>>> $template
>>>> DYNspooler,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>>>> $template
>>>> DYNboot,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>>>
>>>> $template
>>>> DYNIPmessages,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_messages"
>>>> $template
>>>> DYNIPsecure,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_secure"
>>>> $template
>>>> DYNIPmaillog,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_maillog"
>>>> $template
>>>> DYNIPcron,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_cron"
>>>> $template
>>>> DYNIPspooler,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_spooler"
>>>> $template
>>>> DYNIPboot,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_boot.log"
>>>> $template
>>>> DYNIPtraps,"PATH_TO/%FROMHOST-IP%/%FROMHOST-IP%_%$YEAR%.%$MONTH%_traps"
>>>>
>>>> #SET LOGGING CONDITIONS
>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>> ?DYNsecure
>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>> ?DYNmaillog
>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>> ?DYNspooler
>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then ?DYNboot
>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>
>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>> ?DYNIPsecure
>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>> ?DYNIPmaillog
>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then ?DYNIPcron
>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>> ?DYNIPspooler
>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>> ?DYNIPboot
>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>
>>>> but it fails...:
>>>> # service rsyslog start
>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number
>>>> means)
>>>> [ OK ]
>>>>
>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or how
>>>> is this done...
>>>>
>>>>
>>>> Thanks in advance :-) !
>>>> ~maymann
>>>>
>>>>
>>>> 2012/2/1 <david [at] lang>
>>>>
>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> I want to log information about hosts that are not logging with correct
>>>>>> HOSTNAME.
>>>>>> In my current setup, I get a dir "???" where these host(s) are logging
>>>>>> to...
>>>>>>
>>>>>> I would like to change this to the hosts IP instead, something like:
>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>
>>>>>
>>>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>>>> property.
>>>>>
>>>>> what you can do is to setup a different template and then if %fromhost%
>>>>> is your special pattern you can log with this different template.
>>>>>
>>>>> David Lang
>>>>> ______________________________**_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>>
>>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 2:23 AM

Post #10 of 25 (334 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi,

David: thanks for you reply...:-) !

This is not a known client causing the "???" entries - I don't know the
ip(s)/hostname(s), and this is why i would like to log IP instead of
hostname - as my guess is it is a network device without DNS entry...:-( !

Can I troubleshoot on the server somehow similar... or was that the
intention all along...:-o !

Here is the client-debug output anyways...:
# cat messages-debug
Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 46,
syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="
http://www.rsyslog.com"] (re)start'
escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com"] (re)start'
rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
x-info="http://www.rsyslog.com"] (re)start'

Debug line with all properties:
FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
PRI: 13,
syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
msg: ' hej'
escaped msg: ' hej'
rawmsg: '<13>Feb 3 11:14:30 root: hej'

Thanks in advance :-) !
~maymann

2012/2/3 <david [at] lang>

> oops, that should have been RSYSLOG_DebugFormat template.
>
> David Lang
>
> On Thu, 2 Feb 2012, david [at] lang wrote:
>
> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>> From: david [at] lang
>>
>> Reply-To: rsyslog-users <rsyslog [at] lists>
>> To: rsyslog-users <rsyslog [at] lists>
>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>
>> what does one of these messages look like if you write it out with the
>> RSYSLOG_DEBUG template?
>>
>> David Lang
>>
>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>
>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>> From: Michael Maymann <michael [at] maymann>
>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>> To: rsyslog-users <rsyslog [at] lists>
>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>
>>> Please... Anyone?
>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>>>
>>> Hi,
>>>>
>>>> got it started... but still ??? dir+logfiles are showing up...
>>>> This is now my rsyslog.conf:
>>>> #SET PRIVILEGES
>>>> $PreserveFQDN on
>>>> $PrivDropToGroup <GROUP>
>>>> $PrivDropToUser <USER>
>>>> $DirCreateMode 0750
>>>> $FileCreateMode 0640
>>>> $UMASK 0027
>>>>
>>>> #LOAD MODULES
>>>> $ModLoad imudp
>>>> $UDPServerRun 514
>>>> $UDPServerAddress 127.0.0.1
>>>> $ModLoad imtcp
>>>> $InputTCPServerRun 514
>>>>
>>>> #SET DESTINATION FOR LOGS
>>>> $template
>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>> $MONTH%_messages"
>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_*
>>>> *secure"
>>>> $template
>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**maillog"
>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>> cron"
>>>> $template
>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**spooler"
>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>> boot.log"
>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>> traps"
>>>>
>>>> $template
>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>> YEAR%.%$MONTH%_messages"
>>>> $template
>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>> YEAR%.%$MONTH%_secure"
>>>> $template
>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>> YEAR%.%$MONTH%_maillog"
>>>> $template
>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>> MONTH%_cron"
>>>> $template
>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>> YEAR%.%$MONTH%_spooler"
>>>> $template
>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>> MONTH%_boot.log"
>>>> $template
>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>> MONTH%_traps"
>>>>
>>>> #SET LOGGING CONDITIONS
>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>>> ?DYNsecure
>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>> ?DYNmaillog
>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>> ?DYNspooler
>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>> 'WARNING'
>>>> and $fromhost != '???' then ?DYNtraps
>>>>
>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>>> ?DYNIPsecure
>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>> ?DYNIPmaillog
>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>> ?DYNIPspooler
>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>> ?DYNIPboot
>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>> 'WARNING'
>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>
>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>>>> creates
>>>> ??? dir+files...
>>>> What variable should I use to handle this properly ?
>>>>
>>>>
>>>> Thanks in advance :-) !
>>>> ~maymann
>>>>
>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>
>>>> Hi,
>>>>>
>>>>> David: thanks for your reply...
>>>>> Here is my new rsyslog.conf:
>>>>> #SET PRIVILEGES
>>>>> $PreserveFQDN on
>>>>> $PrivDropToGroup <GROUP>
>>>>> $PrivDropToUser <USER>
>>>>> $DirCreateMode 0750
>>>>> $FileCreateMode 0640
>>>>> $UMASK 0027
>>>>>
>>>>> #LOAD MODULES
>>>>> $ModLoad imudp
>>>>> $UDPServerRun 514
>>>>> $UDPServerAddress 127.0.0.1
>>>>> $ModLoad imtcp
>>>>> $InputTCPServerRun 514
>>>>>
>>>>> #SET DESTINATION FOR LOGS
>>>>> $template
>>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> $MONTH%_messages"
>>>>> $template
>>>>> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**secure"
>>>>> $template
>>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> maillog"
>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> cron"
>>>>> $template
>>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> spooler"
>>>>> $template
>>>>> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>> *traps"
>>>>>
>>>>> $template
>>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_messages"
>>>>> $template
>>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_secure"
>>>>> $template
>>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_maillog"
>>>>> $template
>>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_cron"
>>>>> $template
>>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_spooler"
>>>>> $template
>>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_boot.log"
>>>>> $template
>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_traps"
>>>>>
>>>>> #SET LOGGING CONDITIONS
>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>>> ?DYNsecure
>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>> ?DYNmaillog
>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>> ?DYNspooler
>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
>>>>> ?DYNboot
>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>> 'WARNING'
>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>
>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>>> ?DYNIPsecure
>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>> ?DYNIPmaillog
>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>> ?DYNIPcron
>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>> ?DYNIPspooler
>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>>> ?DYNIPboot
>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>> 'WARNING'
>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>
>>>>> but it fails...:
>>>>> # service rsyslog start
>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>>>>> number
>>>>> means)
>>>>> [ OK ]
>>>>>
>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or
>>>>> how
>>>>> is this done...
>>>>>
>>>>>
>>>>> Thanks in advance :-) !
>>>>> ~maymann
>>>>>
>>>>>
>>>>> 2012/2/1 <david [at] lang>
>>>>>
>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>>
>>>>>>> I want to log information about hosts that are not logging with
>>>>>>> correct
>>>>>>> HOSTNAME.
>>>>>>> In my current setup, I get a dir "???" where these host(s) are
>>>>>>> logging
>>>>>>> to...
>>>>>>>
>>>>>>> I would like to change this to the hosts IP instead, something like:
>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>
>>>>>>>
>>>>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>>>>> property.
>>>>>>
>>>>>> what you can do is to setup a different template and then if
>>>>>> %fromhost%
>>>>>> is your special pattern you can log with this different template.
>>>>>>
>>>>>> David Lang
>>>>>> ______________________________****_________________
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> >
>>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 3, 2012, 7:43 AM

Post #11 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

I just checked where the ??? could be routed in. I see one case that happens
when the DNS resolution fails. Would you be willing to run an instrumented
build to capture a debug log so that we see when this happens?

rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 11:24 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Hi,
>
> David: thanks for you reply...:-) !
>
> This is not a known client causing the "???" entries - I don't know the
> ip(s)/hostname(s), and this is why i would like to log IP instead of
hostname -
> as my guess is it is a network device without DNS entry...:-( !
>
> Can I troubleshoot on the server somehow similar... or was that the
intention
> all along...:-o !
>
> Here is the client-debug output anyways...:
> # cat messages-debug
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> PRI: 6,
> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> '-', MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> PRI: 46,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="
> http://www.rsyslog.com"] (re)start'
> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> x-info="http://www.rsyslog.com"] (re)start'
> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> x-info="http://www.rsyslog.com"] (re)start'
>
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> PRI: 13,
> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> msg: ' hej'
> escaped msg: ' hej'
> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/3 <david [at] lang>
>
> > oops, that should have been RSYSLOG_DebugFormat template.
> >
> > David Lang
> >
> > On Thu, 2 Feb 2012, david [at] lang wrote:
> >
> > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> >> From: david [at] lang
> >>
> >> Reply-To: rsyslog-users <rsyslog [at] lists>
> >> To: rsyslog-users <rsyslog [at] lists>
> >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>
> >> what does one of these messages look like if you write it out with
> >> the RSYSLOG_DEBUG template?
> >>
> >> David Lang
> >>
> >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>
> >> Date: Fri, 3 Feb 2012 07:00:26 +0100
> >>> From: Michael Maymann <michael [at] maymann>
> >>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >>> To: rsyslog-users <rsyslog [at] lists>
> >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> >>> %IP%
> >>>
> >>> Please... Anyone?
> >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
> wrote:
> >>>
> >>> Hi,
> >>>>
> >>>> got it started... but still ??? dir+logfiles are showing up...
> >>>> This is now my rsyslog.conf:
> >>>> #SET PRIVILEGES
> >>>> $PreserveFQDN on
> >>>> $PrivDropToGroup <GROUP>
> >>>> $PrivDropToUser <USER>
> >>>> $DirCreateMode 0750
> >>>> $FileCreateMode 0640
> >>>> $UMASK 0027
> >>>>
> >>>> #LOAD MODULES
> >>>> $ModLoad imudp
> >>>> $UDPServerRun 514
> >>>> $UDPServerAddress 127.0.0.1
> >>>> $ModLoad imtcp
> >>>> $InputTCPServerRun 514
> >>>>
> >>>> #SET DESTINATION FOR LOGS
> >>>> $template
> >>>>
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >>>> $MONTH%_messages"
> >>>> $template
> >>>>
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> NTH%_*
> >>>> *secure"
> >>>> $template
> >>>>
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> NTH%_**maillog"
> >>>> $template
> >>>>
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_**
> >>>> cron"
> >>>> $template
> >>>>
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> NTH%_**spooler"
> >>>> $template
> >>>>
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_**
> >>>> boot.log"
> >>>> $template
> >>>>
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_**
> >>>> traps"
> >>>>
> >>>> $template
> >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>> YEAR%.%$MONTH%_messages"
> >>>> $template
> >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>> YEAR%.%$MONTH%_secure"
> >>>> $template
> >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>> YEAR%.%$MONTH%_maillog"
> >>>> $template
> >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>> MONTH%_cron"
> >>>> $template
> >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>> YEAR%.%$MONTH%_spooler"
> >>>> $template
> >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>> MONTH%_boot.log"
> >>>> $template
> >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>> MONTH%_traps"
> >>>>
> >>>> #SET LOGGING CONDITIONS
> >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???'
> >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost !=
> >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost
> >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
> >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text ==
> >>>> 'local6' and $syslogseverity-text == 'WARNING'
> >>>> and $fromhost != '???' then ?DYNtraps
> >>>>
> >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost
> >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and
> >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text ==
> >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if
> >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then
> >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost ==
> >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and
> >>>> $syslogseverity-text == 'WARNING'
> >>>> and $fromhost == '???' then ?DYNIPtraps
> >>>>
> >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
> >>>> creates ??? dir+files...
> >>>> What variable should I use to handle this properly ?
> >>>>
> >>>>
> >>>> Thanks in advance :-) !
> >>>> ~maymann
> >>>>
> >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> >>>>
> >>>> Hi,
> >>>>>
> >>>>> David: thanks for your reply...
> >>>>> Here is my new rsyslog.conf:
> >>>>> #SET PRIVILEGES
> >>>>> $PreserveFQDN on
> >>>>> $PrivDropToGroup <GROUP>
> >>>>> $PrivDropToUser <USER>
> >>>>> $DirCreateMode 0750
> >>>>> $FileCreateMode 0640
> >>>>> $UMASK 0027
> >>>>>
> >>>>> #LOAD MODULES
> >>>>> $ModLoad imudp
> >>>>> $UDPServerRun 514
> >>>>> $UDPServerAddress 127.0.0.1
> >>>>> $ModLoad imtcp
> >>>>> $InputTCPServerRun 514
> >>>>>
> >>>>> #SET DESTINATION FOR LOGS
> >>>>> $template
> >>>>>
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >>>>> $MONTH%_messages"
> >>>>> $template
> >>>>>
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> NTH%_**secure"
> >>>>> $template
> >>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> NTH%_**
> >>>>> maillog"
> >>>>> $template
> >>>>>
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_**
> >>>>> cron"
> >>>>> $template
> >>>>>
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> NTH%_**
> >>>>> spooler"
> >>>>> $template
> >>>>>
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_**boot.log"
> >>>>> $template
> >>>>>
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> H%_*
> >>>>> *traps"
> >>>>>
> >>>>> $template
> >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>>> YEAR%.%$MONTH%_messages"
> >>>>> $template
> >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>>> YEAR%.%$MONTH%_secure"
> >>>>> $template
> >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>>> YEAR%.%$MONTH%_maillog"
> >>>>> $template
> >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>>> MONTH%_cron"
> >>>>> $template
> >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> IP%_%$**
> >>>>> YEAR%.%$MONTH%_spooler"
> >>>>> $template
> >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>>> MONTH%_boot.log"
> >>>>> $template
> >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> IP%_%$YEAR%.%$**
> >>>>> MONTH%_traps"
> >>>>>
> >>>>> #SET LOGGING CONDITIONS
> >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST%
> >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and
> >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text ==
> >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if
> >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% !=
> >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and
> >>>>> $syslogseverity-text == 'WARNING'
> >>>>> and %FROMHOST% != '???' then ?DYNtraps
> >>>>>
> >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text ==
> >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
> >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and
> >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text ==
> >>>>> 'local6' and $syslogseverity-text == 'WARNING'
> >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> >>>>>
> >>>>> but it fails...:
> >>>>> # service rsyslog start
> >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
> >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
> >>>>> number
> >>>>> means)
> >>>>> [ OK ]
> >>>>>
> >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct
> >>>>> or how is this done...
> >>>>>
> >>>>>
> >>>>> Thanks in advance :-) !
> >>>>> ~maymann
> >>>>>
> >>>>>
> >>>>> 2012/2/1 <david [at] lang>
> >>>>>
> >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> >>>>>
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>>>
> >>>>>>> I want to log information about hosts that are not logging with
> >>>>>>> correct HOSTNAME.
> >>>>>>> In my current setup, I get a dir "???" where these host(s) are
> >>>>>>> logging to...
> >>>>>>>
> >>>>>>> I would like to change this to the hosts IP instead, something
like:
> >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> >>>>>>>
> >>>>>>>
> >>>>>> rsyslog cannot do what you are asking. It can't assign a value to
> >>>>>> a property.
> >>>>>>
> >>>>>> what you can do is to setup a different template and then if
> >>>>>> %fromhost% is your special pattern you can log with this
> >>>>>> different template.
> >>>>>>
> >>>>>> David Lang
> >>>>>> ______________________________****_________________
> >>>>>> rsyslog mailing list
> >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://list
> >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
> >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lis
> >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
> >>>>>> >
> >>>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsys
> >>>>>> log.com/**professional-services/>
> >>>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsy
> >>>>>> slog.com/professional-services/>
> >>>>>> >
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>> ______________________________**_________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adi
> >>> scon.net/mailman/listinfo/rsyslog>
> >>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.c
> >>> om/professional-services/>
> >>>
> >>> ______________________________**_________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adis
> >> con.net/mailman/listinfo/rsyslog>
> >> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.co
> >> m/professional-services/>
> >>
> >> ______________________________**_________________
> > rsyslog mailing list
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisc
> > on.net/mailman/listinfo/rsyslog>
> > http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com
> > /professional-services/>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 8:02 AM

Post #12 of 25 (334 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Sure...:-) !

~maymann

2012/2/3 Rainer Gerhards <rgerhards [at] hq>

> I just checked where the ??? could be routed in. I see one case that
> happens
> when the DNS resolution fails. Would you be willing to run an instrumented
> build to capture a debug log so that we see when this happens?
>
> rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Friday, February 03, 2012 11:24 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> >
> > Hi,
> >
> > David: thanks for you reply...:-) !
> >
> > This is not a known client causing the "???" entries - I don't know the
> > ip(s)/hostname(s), and this is why i would like to log IP instead of
> hostname -
> > as my guess is it is a network device without DNS entry...:-( !
> >
> > Can I troubleshoot on the server somehow similar... or was that the
> intention
> > all along...:-o !
> >
> > Here is the client-debug output anyways...:
> > # cat messages-debug
> > Debug line with all properties:
> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > PRI: 6,
> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> > '-', MSGID: '-',
> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >
> > Debug line with all properties:
> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > PRI: 46,
> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> > PROCID: '-', MSGID: '-',
> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> x-info="
> > http://www.rsyslog.com"] (re)start'
> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
> x-pid="13432"
> > x-info="http://www.rsyslog.com"] (re)start'
> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > x-info="http://www.rsyslog.com"] (re)start'
> >
> > Debug line with all properties:
> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > PRI: 13,
> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
> > MSGID: '-',
> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> > msg: ' hej'
> > escaped msg: ' hej'
> > rawmsg: '<13>Feb 3 11:14:30 root: hej'
> >
> >
> > Thanks in advance :-) !
> > ~maymann
> >
> >
> > 2012/2/3 <david [at] lang>
> >
> > > oops, that should have been RSYSLOG_DebugFormat template.
> > >
> > > David Lang
> > >
> > > On Thu, 2 Feb 2012, david [at] lang wrote:
> > >
> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > >> From: david [at] lang
> > >>
> > >> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >> To: rsyslog-users <rsyslog [at] lists>
> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > %IP%
> > >>
> > >> what does one of these messages look like if you write it out with
> > >> the RSYSLOG_DEBUG template?
> > >>
> > >> David Lang
> > >>
> > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >>
> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100
> > >>> From: Michael Maymann <michael [at] maymann>
> > >>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >>> To: rsyslog-users <rsyslog [at] lists>
> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > >>> %IP%
> > >>>
> > >>> Please... Anyone?
> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
> > wrote:
> > >>>
> > >>> Hi,
> > >>>>
> > >>>> got it started... but still ??? dir+logfiles are showing up...
> > >>>> This is now my rsyslog.conf:
> > >>>> #SET PRIVILEGES
> > >>>> $PreserveFQDN on
> > >>>> $PrivDropToGroup <GROUP>
> > >>>> $PrivDropToUser <USER>
> > >>>> $DirCreateMode 0750
> > >>>> $FileCreateMode 0640
> > >>>> $UMASK 0027
> > >>>>
> > >>>> #LOAD MODULES
> > >>>> $ModLoad imudp
> > >>>> $UDPServerRun 514
> > >>>> $UDPServerAddress 127.0.0.1
> > >>>> $ModLoad imtcp
> > >>>> $InputTCPServerRun 514
> > >>>>
> > >>>> #SET DESTINATION FOR LOGS
> > >>>> $template
> > >>>>
> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >>>> $MONTH%_messages"
> > >>>> $template
> > >>>>
> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > NTH%_*
> > >>>> *secure"
> > >>>> $template
> > >>>>
> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**maillog"
> > >>>> $template
> > >>>>
> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_**
> > >>>> cron"
> > >>>> $template
> > >>>>
> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**spooler"
> > >>>> $template
> > >>>>
> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_**
> > >>>> boot.log"
> > >>>> $template
> > >>>>
> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_**
> > >>>> traps"
> > >>>>
> > >>>> $template
> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>> YEAR%.%$MONTH%_messages"
> > >>>> $template
> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>> YEAR%.%$MONTH%_secure"
> > >>>> $template
> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>> YEAR%.%$MONTH%_maillog"
> > >>>> $template
> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>> MONTH%_cron"
> > >>>> $template
> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>> YEAR%.%$MONTH%_spooler"
> > >>>> $template
> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>> MONTH%_boot.log"
> > >>>> $template
> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>> MONTH%_traps"
> > >>>>
> > >>>> #SET LOGGING CONDITIONS
> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???'
> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost !=
> > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost
> > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
> > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text ==
> > >>>> 'local6' and $syslogseverity-text == 'WARNING'
> > >>>> and $fromhost != '???' then ?DYNtraps
> > >>>>
> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost
> > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and
> > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text ==
> > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if
> > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then
> > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost ==
> > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and
> > >>>> $syslogseverity-text == 'WARNING'
> > >>>> and $fromhost == '???' then ?DYNIPtraps
> > >>>>
> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
> > >>>> creates ??? dir+files...
> > >>>> What variable should I use to handle this properly ?
> > >>>>
> > >>>>
> > >>>> Thanks in advance :-) !
> > >>>> ~maymann
> > >>>>
> > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > >>>>
> > >>>> Hi,
> > >>>>>
> > >>>>> David: thanks for your reply...
> > >>>>> Here is my new rsyslog.conf:
> > >>>>> #SET PRIVILEGES
> > >>>>> $PreserveFQDN on
> > >>>>> $PrivDropToGroup <GROUP>
> > >>>>> $PrivDropToUser <USER>
> > >>>>> $DirCreateMode 0750
> > >>>>> $FileCreateMode 0640
> > >>>>> $UMASK 0027
> > >>>>>
> > >>>>> #LOAD MODULES
> > >>>>> $ModLoad imudp
> > >>>>> $UDPServerRun 514
> > >>>>> $UDPServerAddress 127.0.0.1
> > >>>>> $ModLoad imtcp
> > >>>>> $InputTCPServerRun 514
> > >>>>>
> > >>>>> #SET DESTINATION FOR LOGS
> > >>>>> $template
> > >>>>>
> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >>>>> $MONTH%_messages"
> > >>>>> $template
> > >>>>>
> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**secure"
> > >>>>> $template
> > >>>>>
> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**
> > >>>>> maillog"
> > >>>>> $template
> > >>>>>
> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_**
> > >>>>> cron"
> > >>>>> $template
> > >>>>>
> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > NTH%_**
> > >>>>> spooler"
> > >>>>> $template
> > >>>>>
> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_**boot.log"
> > >>>>> $template
> > >>>>>
> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > H%_*
> > >>>>> *traps"
> > >>>>>
> > >>>>> $template
> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>>> YEAR%.%$MONTH%_messages"
> > >>>>> $template
> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>>> YEAR%.%$MONTH%_secure"
> > >>>>> $template
> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>>> YEAR%.%$MONTH%_maillog"
> > >>>>> $template
> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>>> MONTH%_cron"
> > >>>>> $template
> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > IP%_%$**
> > >>>>> YEAR%.%$MONTH%_spooler"
> > >>>>> $template
> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>>> MONTH%_boot.log"
> > >>>>> $template
> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > IP%_%$YEAR%.%$**
> > >>>>> MONTH%_traps"
> > >>>>>
> > >>>>> #SET LOGGING CONDITIONS
> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST%
> > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and
> > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text ==
> > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if
> > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% !=
> > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and
> > >>>>> $syslogseverity-text == 'WARNING'
> > >>>>> and %FROMHOST% != '???' then ?DYNtraps
> > >>>>>
> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text ==
> > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
> > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and
> > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text ==
> > >>>>> 'local6' and $syslogseverity-text == 'WARNING'
> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > >>>>>
> > >>>>> but it fails...:
> > >>>>> # service rsyslog start
> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
> > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
> > >>>>> number
> > >>>>> means)
> > >>>>> [ OK ]
> > >>>>>
> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct
> > >>>>> or how is this done...
> > >>>>>
> > >>>>>
> > >>>>> Thanks in advance :-) !
> > >>>>> ~maymann
> > >>>>>
> > >>>>>
> > >>>>> 2012/2/1 <david [at] lang>
> > >>>>>
> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > >>>>>
> > >>>>>>
> > >>>>>> Hi,
> > >>>>>>
> > >>>>>>>
> > >>>>>>> I want to log information about hosts that are not logging with
> > >>>>>>> correct HOSTNAME.
> > >>>>>>> In my current setup, I get a dir "???" where these host(s) are
> > >>>>>>> logging to...
> > >>>>>>>
> > >>>>>>> I would like to change this to the hosts IP instead, something
> like:
> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > >>>>>>>
> > >>>>>>>
> > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to
> > >>>>>> a property.
> > >>>>>>
> > >>>>>> what you can do is to setup a different template and then if
> > >>>>>> %fromhost% is your special pattern you can log with this
> > >>>>>> different template.
> > >>>>>>
> > >>>>>> David Lang
> > >>>>>> ______________________________****_________________
> > >>>>>> rsyslog mailing list
> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://list
> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
> > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lis
> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
> > >>>>>> >
> > >>>>>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsys
> > >>>>>> log.com/**professional-services/>
> > >>>>>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsy
> > >>>>>> slog.com/professional-services/>
> > >>>>>> >
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>> ______________________________**_________________
> > >>> rsyslog mailing list
> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adi
> > >>> scon.net/mailman/listinfo/rsyslog>
> > >>> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.c
> > >>> om/professional-services/>
> > >>>
> > >>> ______________________________**_________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adis
> > >> con.net/mailman/listinfo/rsyslog>
> > >> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.co
> > >> m/professional-services/>
> > >>
> > >> ______________________________**_________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisc
> > > on.net/mailman/listinfo/rsyslog>
> > > http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com
> > > /professional-services/>
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 8:05 AM

Post #13 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Perhaps we could also figure this <PrivDropToUser>-thing out at the same
time...:-) !

~maymann

2012/2/3 Michael Maymann <michael [at] maymann>

> Sure...:-) !
>
> ~maymann
>
>
>
> 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
>
>> I just checked where the ??? could be routed in. I see one case that
>> happens
>> when the DNS resolution fails. Would you be willing to run an
>> instrumented
>> build to capture a debug log so that we see when this happens?
>>
>> rainer
>>
>> > -----Original Message-----
>> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> > bounces [at] lists] On Behalf Of Michael Maymann
>> > Sent: Friday, February 03, 2012 11:24 AM
>> > To: rsyslog-users
>> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>> >
>> > Hi,
>> >
>> > David: thanks for you reply...:-) !
>> >
>> > This is not a known client causing the "???" entries - I don't know the
>> > ip(s)/hostname(s), and this is why i would like to log IP instead of
>> hostname -
>> > as my guess is it is a network device without DNS entry...:-( !
>> >
>> > Can I troubleshoot on the server somehow similar... or was that the
>> intention
>> > all along...:-o !
>> >
>> > Here is the client-debug output anyways...:
>> > # cat messages-debug
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 6,
>> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>> > '-', MSGID: '-',
>> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> >
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 46,
>> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>> > PROCID: '-', MSGID: '-',
>> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> x-info="
>> > http://www.rsyslog.com"] (re)start'
>> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
>> x-pid="13432"
>> > x-info="http://www.rsyslog.com"] (re)start'
>> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> > x-info="http://www.rsyslog.com"] (re)start'
>> >
>> > Debug line with all properties:
>> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> > '<HOSTNAME>',
>> > PRI: 13,
>> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
>> > MSGID: '-',
>> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
>> > msg: ' hej'
>> > escaped msg: ' hej'
>> > rawmsg: '<13>Feb 3 11:14:30 root: hej'
>> >
>> >
>> > Thanks in advance :-) !
>> > ~maymann
>> >
>> >
>> > 2012/2/3 <david [at] lang>
>> >
>> > > oops, that should have been RSYSLOG_DebugFormat template.
>> > >
>> > > David Lang
>> > >
>> > > On Thu, 2 Feb 2012, david [at] lang wrote:
>> > >
>> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>> > >> From: david [at] lang
>> > >>
>> > >> Reply-To: rsyslog-users <rsyslog [at] lists>
>> > >> To: rsyslog-users <rsyslog [at] lists>
>> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> > %IP%
>> > >>
>> > >> what does one of these messages look like if you write it out with
>> > >> the RSYSLOG_DEBUG template?
>> > >>
>> > >> David Lang
>> > >>
>> > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
>> > >>
>> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100
>> > >>> From: Michael Maymann <michael [at] maymann>
>> > >>> Reply-To: rsyslog-users <rsyslog [at] lists>
>> > >>> To: rsyslog-users <rsyslog [at] lists>
>> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> > >>> %IP%
>> > >>>
>> > >>> Please... Anyone?
>> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
>> > wrote:
>> > >>>
>> > >>> Hi,
>> > >>>>
>> > >>>> got it started... but still ??? dir+logfiles are showing up...
>> > >>>> This is now my rsyslog.conf:
>> > >>>> #SET PRIVILEGES
>> > >>>> $PreserveFQDN on
>> > >>>> $PrivDropToGroup <GROUP>
>> > >>>> $PrivDropToUser <USER>
>> > >>>> $DirCreateMode 0750
>> > >>>> $FileCreateMode 0640
>> > >>>> $UMASK 0027
>> > >>>>
>> > >>>> #LOAD MODULES
>> > >>>> $ModLoad imudp
>> > >>>> $UDPServerRun 514
>> > >>>> $UDPServerAddress 127.0.0.1
>> > >>>> $ModLoad imtcp
>> > >>>> $InputTCPServerRun 514
>> > >>>>
>> > >>>> #SET DESTINATION FOR LOGS
>> > >>>> $template
>> > >>>>
>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > >>>> $MONTH%_messages"
>> > >>>> $template
>> > >>>>
>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_*
>> > >>>> *secure"
>> > >>>> $template
>> > >>>>
>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**maillog"
>> > >>>> $template
>> > >>>>
>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> cron"
>> > >>>> $template
>> > >>>>
>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**spooler"
>> > >>>> $template
>> > >>>>
>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> boot.log"
>> > >>>> $template
>> > >>>>
>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>> traps"
>> > >>>>
>> > >>>> $template
>> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_messages"
>> > >>>> $template
>> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_secure"
>> > >>>> $template
>> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_maillog"
>> > >>>> $template
>> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_cron"
>> > >>>> $template
>> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>> YEAR%.%$MONTH%_spooler"
>> > >>>> $template
>> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_boot.log"
>> > >>>> $template
>> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>> MONTH%_traps"
>> > >>>>
>> > >>>> #SET LOGGING CONDITIONS
>> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>> > >>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>> > >>>> ?DYNsecure if $syslogfacility-text == 'mail' and $fromhost != '???'
>> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and $fromhost !=
>> > >>>> '???' then ?DYNcron if $syslogseverity-text == 'crit' and $fromhost
>> > >>>> != '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
>> > >>>> $fromhost != '???' then ?DYNboot if $syslogfacility-text ==
>> > >>>> 'local6' and $syslogseverity-text == 'WARNING'
>> > >>>> and $fromhost != '???' then ?DYNtraps
>> > >>>>
>> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
>> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and $fromhost
>> > >>>> == '???' then ?DYNIPsecure if $syslogfacility-text == 'mail' and
>> > >>>> $fromhost == '???' then ?DYNIPmaillog if $syslogfacility-text ==
>> > >>>> 'cron' and $fromhost == '???' then ?DYNIPcron if
>> > >>>> $syslogseverity-text == 'crit' and $fromhost == '???' then
>> > >>>> ?DYNIPspooler if $syslogfacility-text == 'local7' and $fromhost ==
>> > >>>> '???' then ?DYNIPboot if $syslogfacility-text == 'local6' and
>> > >>>> $syslogseverity-text == 'WARNING'
>> > >>>> and $fromhost == '???' then ?DYNIPtraps
>> > >>>>
>> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>> > >>>> creates ??? dir+files...
>> > >>>> What variable should I use to handle this properly ?
>> > >>>>
>> > >>>>
>> > >>>> Thanks in advance :-) !
>> > >>>> ~maymann
>> > >>>>
>> > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>> > >>>>
>> > >>>> Hi,
>> > >>>>>
>> > >>>>> David: thanks for your reply...
>> > >>>>> Here is my new rsyslog.conf:
>> > >>>>> #SET PRIVILEGES
>> > >>>>> $PreserveFQDN on
>> > >>>>> $PrivDropToGroup <GROUP>
>> > >>>>> $PrivDropToUser <USER>
>> > >>>>> $DirCreateMode 0750
>> > >>>>> $FileCreateMode 0640
>> > >>>>> $UMASK 0027
>> > >>>>>
>> > >>>>> #LOAD MODULES
>> > >>>>> $ModLoad imudp
>> > >>>>> $UDPServerRun 514
>> > >>>>> $UDPServerAddress 127.0.0.1
>> > >>>>> $ModLoad imtcp
>> > >>>>> $InputTCPServerRun 514
>> > >>>>>
>> > >>>>> #SET DESTINATION FOR LOGS
>> > >>>>> $template
>> > >>>>>
>> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> > >>>>> $MONTH%_messages"
>> > >>>>> $template
>> > >>>>>
>> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**secure"
>> > >>>>> $template
>> > >>>>>
>> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >>>>> maillog"
>> > >>>>> $template
>> > >>>>>
>> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**
>> > >>>>> cron"
>> > >>>>> $template
>> > >>>>>
>> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
>> > NTH%_**
>> > >>>>> spooler"
>> > >>>>> $template
>> > >>>>>
>> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_**boot.log"
>> > >>>>> $template
>> > >>>>>
>> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
>> > H%_*
>> > >>>>> *traps"
>> > >>>>>
>> > >>>>> $template
>> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_messages"
>> > >>>>> $template
>> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_secure"
>> > >>>>> $template
>> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_maillog"
>> > >>>>> $template
>> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_cron"
>> > >>>>> $template
>> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
>> > IP%_%$**
>> > >>>>> YEAR%.%$MONTH%_spooler"
>> > >>>>> $template
>> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_boot.log"
>> > >>>>> $template
>> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
>> > IP%_%$YEAR%.%$**
>> > >>>>> MONTH%_traps"
>> > >>>>>
>> > >>>>> #SET LOGGING CONDITIONS
>> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
>> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and %FROMHOST%
>> > >>>>> != '???' then ?DYNsecure if $syslogfacility-text == 'mail' and
>> > >>>>> %FROMHOST% != '???' then ?DYNmaillog if $syslogfacility-text ==
>> > >>>>> 'cron' and %FROMHOST% != '???' then ?DYNcron if
>> > >>>>> $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>> > >>>>> ?DYNspooler if $syslogfacility-text == 'local7' and %FROMHOST% !=
>> > >>>>> '???' then ?DYNboot if $syslogfacility-text == 'local6' and
>> > >>>>> $syslogseverity-text == 'WARNING'
>> > >>>>> and %FROMHOST% != '???' then ?DYNtraps
>> > >>>>>
>> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
>> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
>> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text ==
>> > >>>>> 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
>> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
>> > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7' and
>> > >>>>> %FROMHOST% == '???' then ?DYNIPboot if $syslogfacility-text ==
>> > >>>>> 'local6' and $syslogseverity-text == 'WARNING'
>> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>> > >>>>>
>> > >>>>> but it fails...:
>> > >>>>> # service rsyslog start
>> > >>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>> > >>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>> > >>>>> number
>> > >>>>> means)
>> > >>>>> [ OK ]
>> > >>>>>
>> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format correct
>> > >>>>> or how is this done...
>> > >>>>>
>> > >>>>>
>> > >>>>> Thanks in advance :-) !
>> > >>>>> ~maymann
>> > >>>>>
>> > >>>>>
>> > >>>>> 2012/2/1 <david [at] lang>
>> > >>>>>
>> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>> > >>>>>
>> > >>>>>>
>> > >>>>>> Hi,
>> > >>>>>>
>> > >>>>>>>
>> > >>>>>>> I want to log information about hosts that are not logging with
>> > >>>>>>> correct HOSTNAME.
>> > >>>>>>> In my current setup, I get a dir "???" where these host(s) are
>> > >>>>>>> logging to...
>> > >>>>>>>
>> > >>>>>>> I would like to change this to the hosts IP instead, something
>> like:
>> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>> > >>>>>>>
>> > >>>>>>>
>> > >>>>>> rsyslog cannot do what you are asking. It can't assign a value to
>> > >>>>>> a property.
>> > >>>>>>
>> > >>>>>> what you can do is to setup a different template and then if
>> > >>>>>> %fromhost% is your special pattern you can log with this
>> > >>>>>> different template.
>> > >>>>>>
>> > >>>>>> David Lang
>> > >>>>>> ______________________________****_________________
>> > >>>>>> rsyslog mailing list
>> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<
>> http://list
>> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
>> > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<
>> http://lis
>> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
>> > >>>>>> >
>> > >>>>>> http://www.rsyslog.com/****professional-
>> > services/<http://www.rsys
>> > >>>>>> log.com/**professional-services/>
>> > >>>>>> <http://**www.rsyslog.com/professional-
>> > **services/<http://www.rsy
>> > >>>>>> slog.com/professional-services/>
>> > >>>>>> >
>> > >>>>>>
>> > >>>>>>
>> > >>>>>
>> > >>>>>
>> > >>>> ______________________________**_________________
>> > >>> rsyslog mailing list
>> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adi
>> > >>> scon.net/mailman/listinfo/rsyslog>
>> > >>> http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.c
>> > >>> om/professional-services/>
>> > >>>
>> > >>> ______________________________**_________________
>> > >> rsyslog mailing list
>> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adis
>> > >> con.net/mailman/listinfo/rsyslog>
>> > >> http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.co
>> > >> m/professional-services/>
>> > >>
>> > >> ______________________________**_________________
>> > > rsyslog mailing list
>> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
>> http://lists.adisc
>> > > on.net/mailman/listinfo/rsyslog>
>> > > http://www.rsyslog.com/**professional-
>> > services/<http://www.rsyslog.com
>> > > /professional-services/>
>> > >
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 3, 2012, 8:06 AM

Post #14 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Ok - I am right now upgrading a module to the v6 config format, will add some
instrumentation as next step. Probably Monday.

rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 5:03 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Sure...:-) !
>
> ~maymann
>
>
> 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
>
> > I just checked where the ??? could be routed in. I see one case that
> > happens when the DNS resolution fails. Would you be willing to run an
> > instrumented build to capture a debug log so that we see when this
> > happens?
> >
> > rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > bounces [at] lists] On Behalf Of Michael Maymann
> > > Sent: Friday, February 03, 2012 11:24 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > > %IP%
> > >
> > > Hi,
> > >
> > > David: thanks for you reply...:-) !
> > >
> > > This is not a known client causing the "???" entries - I don't know
> > > the ip(s)/hostname(s), and this is why i would like to log IP
> > > instead of
> > hostname -
> > > as my guess is it is a network device without DNS entry...:-( !
> > >
> > > Can I troubleshoot on the server somehow similar... or was that the
> > intention
> > > all along...:-o !
> > >
> > > Here is the client-debug output anyways...:
> > > # cat messages-debug
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 6,
> > > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> > > '-', MSGID: '-',
> > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 46,
> > > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > > 'rsyslogd',
> > > PROCID: '-', MSGID: '-',
> > > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > x-info="
> > > http://www.rsyslog.com"] (re)start'
> > > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
> > x-pid="13432"
> > > x-info="http://www.rsyslog.com"] (re)start'
> > > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > > x-info="http://www.rsyslog.com"] (re)start'
> > >
> > > Debug line with all properties:
> > > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > PRI: 13,
> > > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> > > '-',
> > > MSGID: '-',
> > > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> > > msg: ' hej'
> > > escaped msg: ' hej'
> > > rawmsg: '<13>Feb 3 11:14:30 root: hej'
> > >
> > >
> > > Thanks in advance :-) !
> > > ~maymann
> > >
> > >
> > > 2012/2/3 <david [at] lang>
> > >
> > > > oops, that should have been RSYSLOG_DebugFormat template.
> > > >
> > > > David Lang
> > > >
> > > > On Thu, 2 Feb 2012, david [at] lang wrote:
> > > >
> > > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > > >> From: david [at] lang
> > > >>
> > > >> Reply-To: rsyslog-users <rsyslog [at] lists>
> > > >> To: rsyslog-users <rsyslog [at] lists>
> > > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > %IP%
> > > >>
> > > >> what does one of these messages look like if you write it out
> > > >> with the RSYSLOG_DEBUG template?
> > > >>
> > > >> David Lang
> > > >>
> > > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > > >>
> > > >> Date: Fri, 3 Feb 2012 07:00:26 +0100
> > > >>> From: Michael Maymann <michael [at] maymann>
> > > >>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > > >>> To: rsyslog-users <rsyslog [at] lists>
> > > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > >>> %IP%
> > > >>>
> > > >>> Please... Anyone?
> > > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann"
> <michael [at] maymann>
> > > wrote:
> > > >>>
> > > >>> Hi,
> > > >>>>
> > > >>>> got it started... but still ??? dir+logfiles are showing up...
> > > >>>> This is now my rsyslog.conf:
> > > >>>> #SET PRIVILEGES
> > > >>>> $PreserveFQDN on
> > > >>>> $PrivDropToGroup <GROUP>
> > > >>>> $PrivDropToUser <USER>
> > > >>>> $DirCreateMode 0750
> > > >>>> $FileCreateMode 0640
> > > >>>> $UMASK 0027
> > > >>>>
> > > >>>> #LOAD MODULES
> > > >>>> $ModLoad imudp
> > > >>>> $UDPServerRun 514
> > > >>>> $UDPServerAddress 127.0.0.1
> > > >>>> $ModLoad imtcp
> > > >>>> $InputTCPServerRun 514
> > > >>>>
> > > >>>> #SET DESTINATION FOR LOGS
> > > >>>> $template
> > > >>>>
> > >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>> $MONTH%_messages"
> > > >>>> $template
> > > >>>>
> > >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_*
> > > >>>> *secure"
> > > >>>> $template
> > > >>>>
> > >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**maillog"
> > > >>>> $template
> > > >>>>
> > >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> cron"
> > > >>>> $template
> > > >>>>
> > >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**spooler"
> > > >>>> $template
> > > >>>>
> > >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> boot.log"
> > > >>>> $template
> > > >>>>
> > >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>> traps"
> > > >>>>
> > > >>>> $template
> > > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_messages"
> > > >>>> $template
> > > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_secure"
> > > >>>> $template
> > > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_maillog"
> > > >>>> $template
> > > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_cron"
> > > >>>> $template
> > > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>> YEAR%.%$MONTH%_spooler"
> > > >>>> $template
> > > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_boot.log"
> > > >>>> $template
> > > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>> MONTH%_traps"
> > > >>>>
> > > >>>> #SET LOGGING CONDITIONS
> > > >>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text ==
'mail'
> and $fromhost != '???'
> > > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and
> > > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text ==
> > > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if
> > > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then
> > > >>>> ?DYNboot if $syslogfacility-text == 'local6' and
$syslogseverity-text
> == 'WARNING'
> > > >>>> and $fromhost != '???' then ?DYNtraps
> > > >>>>
> > > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text ==
> > > >>>> 'mail' and $fromhost == '???' then ?DYNIPmaillog if
> > > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then
> > > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost ==
> > > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> > > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text
> > > >>>> == 'local6' and $syslogseverity-text == 'WARNING'
> > > >>>> and $fromhost == '???' then ?DYNIPtraps
> > > >>>>
> > > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> > > >>>> all creates ??? dir+files...
> > > >>>> What variable should I use to handle this properly ?
> > > >>>>
> > > >>>>
> > > >>>> Thanks in advance :-) !
> > > >>>> ~maymann
> > > >>>>
> > > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > > >>>>
> > > >>>> Hi,
> > > >>>>>
> > > >>>>> David: thanks for your reply...
> > > >>>>> Here is my new rsyslog.conf:
> > > >>>>> #SET PRIVILEGES
> > > >>>>> $PreserveFQDN on
> > > >>>>> $PrivDropToGroup <GROUP>
> > > >>>>> $PrivDropToUser <USER>
> > > >>>>> $DirCreateMode 0750
> > > >>>>> $FileCreateMode 0640
> > > >>>>> $UMASK 0027
> > > >>>>>
> > > >>>>> #LOAD MODULES
> > > >>>>> $ModLoad imudp
> > > >>>>> $UDPServerRun 514
> > > >>>>> $UDPServerAddress 127.0.0.1
> > > >>>>> $ModLoad imtcp
> > > >>>>> $InputTCPServerRun 514
> > > >>>>>
> > > >>>>> #SET DESTINATION FOR LOGS
> > > >>>>> $template
> > > >>>>>
> > >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > > >>>>> $MONTH%_messages"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**secure"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**
> > > >>>>> maillog"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**
> > > >>>>> cron"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > > NTH%_**
> > > >>>>> spooler"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_**boot.log"
> > > >>>>> $template
> > > >>>>>
> > >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > > H%_*
> > > >>>>> *traps"
> > > >>>>>
> > > >>>>> $template
> > > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_messages"
> > > >>>>> $template
> > > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_secure"
> > > >>>>> $template
> > > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_maillog"
> > > >>>>> $template
> > > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_cron"
> > > >>>>> $template
> > > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > > IP%_%$**
> > > >>>>> YEAR%.%$MONTH%_spooler"
> > > >>>>> $template
> > > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_boot.log"
> > > >>>>> $template
> > > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$**
> > > >>>>> MONTH%_traps"
> > > >>>>>
> > > >>>>> #SET LOGGING CONDITIONS
> > > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text ==
> > > >>>>> 'mail' and %FROMHOST% != '???' then ?DYNmaillog if
> > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> > > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% !=
> > > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7' and
> > > >>>>> %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text ==
> > > >>>>> 'local6' and $syslogseverity-text == 'WARNING'
> > > >>>>> and %FROMHOST% != '???' then ?DYNtraps
> > > >>>>>
> > > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text
> > > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> > > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST% ==
> > > >>>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> > > >>>>> and %FROMHOST% == '???' then ?DYNIPboot if
> > > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > > >>>>>
> > > >>>>> but it fails...:
> > > >>>>> # service rsyslog start
> > > >>>>> Starting system logger: rsyslogd: run failed with error -2207
> > > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn
> > > >>>>> what that number
> > > >>>>> means)
> > > >>>>> [
> > > >>>>> OK ]
> > > >>>>>
> > > >>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > > >>>>> correct or how is this done...
> > > >>>>>
> > > >>>>>
> > > >>>>> Thanks in advance :-) !
> > > >>>>> ~maymann
> > > >>>>>
> > > >>>>>
> > > >>>>> 2012/2/1 <david [at] lang>
> > > >>>>>
> > > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > > >>>>>
> > > >>>>>>
> > > >>>>>> Hi,
> > > >>>>>>
> > > >>>>>>>
> > > >>>>>>> I want to log information about hosts that are not logging
> > > >>>>>>> with correct HOSTNAME.
> > > >>>>>>> In my current setup, I get a dir "???" where these host(s)
> > > >>>>>>> are logging to...
> > > >>>>>>>
> > > >>>>>>> I would like to change this to the hosts IP instead,
> > > >>>>>>> something
> > like:
> > > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>> rsyslog cannot do what you are asking. It can't assign a
> > > >>>>>> value to a property.
> > > >>>>>>
> > > >>>>>> what you can do is to setup a different template and then if
> > > >>>>>> %fromhost% is your special pattern you can log with this
> > > >>>>>> different template.
> > > >>>>>>
> > > >>>>>> David Lang
> > > >>>>>>
> ______________________________****_________________
> > > >>>>>> rsyslog mailing list
> > > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://
> > > >>>>>> list s.adiscon.net/**mailman/listinfo/rsyslog>
> > > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http:/
> > > >>>>>> /lis ts.adiscon.net/mailman/listinfo/rsyslog>
> > > >>>>>> >
> > > >>>>>> http://www.rsyslog.com/****professional-
> > > services/<http://www.rsys
> > > >>>>>> log.com/**professional-services/>
> > > >>>>>> <http://**www.rsyslog.com/professional-
> > > **services/<http://www.rsy
> > > >>>>>> slog.com/professional-services/>
> > > >>>>>> >
> > > >>>>>>
> > > >>>>>>
> > > >>>>>
> > > >>>>>
> > > >>>> ______________________________**_________________
> > > >>> rsyslog mailing list
> > > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists
> > > >>> .adi scon.net/mailman/listinfo/rsyslog>
> > > >>> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.c
> > > >>> om/professional-services/>
> > > >>>
> > > >>> ______________________________**_________________
> > > >> rsyslog mailing list
> > > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.
> > > >> adis con.net/mailman/listinfo/rsyslog>
> > > >> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.co
> > > >> m/professional-services/>
> > > >>
> > > >> ______________________________**_________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.a
> > > > disc
> > > > on.net/mailman/listinfo/rsyslog>
> > > > http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com
> > > > /professional-services/>
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 3, 2012, 8:09 AM

Post #15 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Michael,

you really don't understand me: I do not see ANY problem at all what could be
wrong in rsyslog (I don't say there is none...)! All I see is that it
operates correctly! So tell me how should I instrument it? What to look for?
And why?

I don't think I can help you here without further input on why the script
reports this failure. Don't be upset, but I won't respond any longer to this
thread as it turns out to become a huge waste of time for me...

I wish I had a better answer...

Rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Friday, February 03, 2012 5:06 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Perhaps we could also figure this <PrivDropToUser>-thing out at the same
> time...:-) !
>
> ~maymann
>
> 2012/2/3 Michael Maymann <michael [at] maymann>
>
> > Sure...:-) !
> >
> > ~maymann
> >
> >
> >
> > 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
> >
> >> I just checked where the ??? could be routed in. I see one case that
> >> happens when the DNS resolution fails. Would you be willing to run
> >> an instrumented build to capture a debug log so that we see when this
> >> happens?
> >>
> >> rainer
> >>
> >> > -----Original Message-----
> >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> >> > bounces [at] lists] On Behalf Of Michael Maymann
> >> > Sent: Friday, February 03, 2012 11:24 AM
> >> > To: rsyslog-users
> >> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> >> > %IP%
> >> >
> >> > Hi,
> >> >
> >> > David: thanks for you reply...:-) !
> >> >
> >> > This is not a known client causing the "???" entries - I don't know
> >> > the ip(s)/hostname(s), and this is why i would like to log IP
> >> > instead of
> >> hostname -
> >> > as my guess is it is a network device without DNS entry...:-( !
> >> >
> >> > Can I troubleshoot on the server somehow similar... or was that the
> >> intention
> >> > all along...:-o !
> >> >
> >> > Here is the client-debug output anyways...:
> >> > # cat messages-debug
> >> > Debug line with all properties:
> >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> >> > '<HOSTNAME>',
> >> > PRI: 6,
> >> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
PROCID:
> >> > '-', MSGID: '-',
> >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >> >
> >> > Debug line with all properties:
> >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> >> > '<HOSTNAME>',
> >> > PRI: 46,
> >> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> >> > 'rsyslogd',
> >> > PROCID: '-', MSGID: '-',
> >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> >> x-info="
> >> > http://www.rsyslog.com"] (re)start'
> >> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
> >> x-pid="13432"
> >> > x-info="http://www.rsyslog.com"] (re)start'
> >> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> >> > x-info="http://www.rsyslog.com"] (re)start'
> >> >
> >> > Debug line with all properties:
> >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> >> > '<HOSTNAME>',
> >> > PRI: 13,
> >> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> >> > '-',
> >> > MSGID: '-',
> >> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> >> > msg: ' hej'
> >> > escaped msg: ' hej'
> >> > rawmsg: '<13>Feb 3 11:14:30 root: hej'
> >> >
> >> >
> >> > Thanks in advance :-) !
> >> > ~maymann
> >> >
> >> >
> >> > 2012/2/3 <david [at] lang>
> >> >
> >> > > oops, that should have been RSYSLOG_DebugFormat template.
> >> > >
> >> > > David Lang
> >> > >
> >> > > On Thu, 2 Feb 2012, david [at] lang wrote:
> >> > >
> >> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> >> > >> From: david [at] lang
> >> > >>
> >> > >> Reply-To: rsyslog-users <rsyslog [at] lists>
> >> > >> To: rsyslog-users <rsyslog [at] lists>
> >> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> >> > %IP%
> >> > >>
> >> > >> what does one of these messages look like if you write it out
> >> > >> with the RSYSLOG_DEBUG template?
> >> > >>
> >> > >> David Lang
> >> > >>
> >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >> > >>
> >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100
> >> > >>> From: Michael Maymann <michael [at] maymann>
> >> > >>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >> > >>> To: rsyslog-users <rsyslog [at] lists>
> >> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> >> > >>> == %IP%
> >> > >>>
> >> > >>> Please... Anyone?
> >> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann"
> <michael [at] maymann>
> >> > wrote:
> >> > >>>
> >> > >>> Hi,
> >> > >>>>
> >> > >>>> got it started... but still ??? dir+logfiles are showing up...
> >> > >>>> This is now my rsyslog.conf:
> >> > >>>> #SET PRIVILEGES
> >> > >>>> $PreserveFQDN on
> >> > >>>> $PrivDropToGroup <GROUP>
> >> > >>>> $PrivDropToUser <USER>
> >> > >>>> $DirCreateMode 0750
> >> > >>>> $FileCreateMode 0640
> >> > >>>> $UMASK 0027
> >> > >>>>
> >> > >>>> #LOAD MODULES
> >> > >>>> $ModLoad imudp
> >> > >>>> $UDPServerRun 514
> >> > >>>> $UDPServerAddress 127.0.0.1
> >> > >>>> $ModLoad imtcp
> >> > >>>> $InputTCPServerRun 514
> >> > >>>>
> >> > >>>> #SET DESTINATION FOR LOGS
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> > >>>> $MONTH%_messages"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_*
> >> > >>>> *secure"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**maillog"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_**
> >> > >>>> cron"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**spooler"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_**
> >> > >>>> boot.log"
> >> > >>>> $template
> >> > >>>>
> >> >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_**
> >> > >>>> traps"
> >> > >>>>
> >> > >>>> $template
> >> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>> YEAR%.%$MONTH%_messages"
> >> > >>>> $template
> >> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>> YEAR%.%$MONTH%_secure"
> >> > >>>> $template
> >> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>> YEAR%.%$MONTH%_maillog"
> >> > >>>> $template
> >> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>> MONTH%_cron"
> >> > >>>> $template
> >> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>> YEAR%.%$MONTH%_spooler"
> >> > >>>> $template
> >> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>> MONTH%_boot.log"
> >> > >>>> $template
> >> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>> MONTH%_traps"
> >> > >>>>
> >> > >>>> #SET LOGGING CONDITIONS
> >> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then
> >> > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> >> > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text ==
'mail'
> and $fromhost != '???'
> >> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and
> >> > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text ==
> >> > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if
> >> > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then
> >> > >>>> ?DYNboot if $syslogfacility-text == 'local6' and
$syslogseverity-text
> == 'WARNING'
> >> > >>>> and $fromhost != '???' then ?DYNtraps
> >> > >>>>
> >> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> >> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> >> > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text
> >> > >>>> == 'mail' and $fromhost == '???' then ?DYNIPmaillog if
> >> > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then
> >> > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost ==
> >> > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> >> > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text
> >> > >>>> == 'local6' and $syslogseverity-text == 'WARNING'
> >> > >>>> and $fromhost == '???' then ?DYNIPtraps
> >> > >>>>
> >> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> >> > >>>> all creates ??? dir+files...
> >> > >>>> What variable should I use to handle this properly ?
> >> > >>>>
> >> > >>>>
> >> > >>>> Thanks in advance :-) !
> >> > >>>> ~maymann
> >> > >>>>
> >> > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> >> > >>>>
> >> > >>>> Hi,
> >> > >>>>>
> >> > >>>>> David: thanks for your reply...
> >> > >>>>> Here is my new rsyslog.conf:
> >> > >>>>> #SET PRIVILEGES
> >> > >>>>> $PreserveFQDN on
> >> > >>>>> $PrivDropToGroup <GROUP>
> >> > >>>>> $PrivDropToUser <USER>
> >> > >>>>> $DirCreateMode 0750
> >> > >>>>> $FileCreateMode 0640
> >> > >>>>> $UMASK 0027
> >> > >>>>>
> >> > >>>>> #LOAD MODULES
> >> > >>>>> $ModLoad imudp
> >> > >>>>> $UDPServerRun 514
> >> > >>>>> $UDPServerAddress 127.0.0.1
> >> > >>>>> $ModLoad imtcp
> >> > >>>>> $InputTCPServerRun 514
> >> > >>>>>
> >> > >>>>> #SET DESTINATION FOR LOGS
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> >> > >>>>> $MONTH%_messages"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**secure"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**
> >> > >>>>> maillog"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_**
> >> > >>>>> cron"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> >> > NTH%_**
> >> > >>>>> spooler"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_**boot.log"
> >> > >>>>> $template
> >> > >>>>>
> >> >
> DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> >> > H%_*
> >> > >>>>> *traps"
> >> > >>>>>
> >> > >>>>> $template
> >> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>>> YEAR%.%$MONTH%_messages"
> >> > >>>>> $template
> >> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>>> YEAR%.%$MONTH%_secure"
> >> > >>>>> $template
> >> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>>> YEAR%.%$MONTH%_maillog"
> >> > >>>>> $template
> >> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>>> MONTH%_cron"
> >> > >>>>> $template
> >> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> >> > IP%_%$**
> >> > >>>>> YEAR%.%$MONTH%_spooler"
> >> > >>>>> $template
> >> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>>> MONTH%_boot.log"
> >> > >>>>> $template
> >> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> >> > IP%_%$YEAR%.%$**
> >> > >>>>> MONTH%_traps"
> >> > >>>>>
> >> > >>>>> #SET LOGGING CONDITIONS
> >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> >> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> >> > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text
> >> > >>>>> == 'mail' and %FROMHOST% != '???' then ?DYNmaillog if
> >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> >> > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% !=
> >> > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7'
> >> > >>>>> and %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text
> >> > >>>>> == 'local6' and $syslogseverity-text == 'WARNING'
> >> > >>>>> and %FROMHOST% != '???' then ?DYNtraps
> >> > >>>>>
> >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> >> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> >> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text
> >> > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> >> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST%
> >> > >>>>> == '???' then ?DYNIPspooler if $syslogfacility-text ==
> >> > >>>>> 'local7' and %FROMHOST% == '???' then ?DYNIPboot if
> >> > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> >> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> >> > >>>>>
> >> > >>>>> but it fails...:
> >> > >>>>> # service rsyslog start
> >> > >>>>> Starting system logger: rsyslogd: run failed with error -2207
> >> > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn
> >> > >>>>> what that number
> >> > >>>>> means)
> >> > >>>>> [
> >> > >>>>> OK ]
> >> > >>>>>
> >> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format
> >> > >>>>> correct or how is this done...
> >> > >>>>>
> >> > >>>>>
> >> > >>>>> Thanks in advance :-) !
> >> > >>>>> ~maymann
> >> > >>>>>
> >> > >>>>>
> >> > >>>>> 2012/2/1 <david [at] lang>
> >> > >>>>>
> >> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> >> > >>>>>
> >> > >>>>>>
> >> > >>>>>> Hi,
> >> > >>>>>>
> >> > >>>>>>>
> >> > >>>>>>> I want to log information about hosts that are not logging
> >> > >>>>>>> with correct HOSTNAME.
> >> > >>>>>>> In my current setup, I get a dir "???" where these host(s)
> >> > >>>>>>> are logging to...
> >> > >>>>>>>
> >> > >>>>>>> I would like to change this to the hosts IP instead,
> >> > >>>>>>> something
> >> like:
> >> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>> rsyslog cannot do what you are asking. It can't assign a
> >> > >>>>>> value to a property.
> >> > >>>>>>
> >> > >>>>>> what you can do is to setup a different template and then if
> >> > >>>>>> %fromhost% is your special pattern you can log with this
> >> > >>>>>> different template.
> >> > >>>>>>
> >> > >>>>>> David Lang
> >> > >>>>>>
> ______________________________****_________________
> >> > >>>>>> rsyslog mailing list
> >> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<
> >> http://list
> >> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
> >> > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<
> >> http://lis
> >> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
> >> > >>>>>> >
> >> > >>>>>> http://www.rsyslog.com/****professional-
> >> > services/<http://www.rsys
> >> > >>>>>> log.com/**professional-services/>
> >> > >>>>>> <http://**www.rsyslog.com/professional-
> >> > **services/<http://www.rsy
> >> > >>>>>> slog.com/professional-services/>
> >> > >>>>>> >
> >> > >>>>>>
> >> > >>>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>> ______________________________**_________________
> >> > >>> rsyslog mailing list
> >> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> >> http://lists.adi
> >> > >>> scon.net/mailman/listinfo/rsyslog>
> >> > >>> http://www.rsyslog.com/**professional-
> >> > services/<http://www.rsyslog.c
> >> > >>> om/professional-services/>
> >> > >>>
> >> > >>> ______________________________**_________________
> >> > >> rsyslog mailing list
> >> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> >> http://lists.adis
> >> > >> con.net/mailman/listinfo/rsyslog>
> >> > >> http://www.rsyslog.com/**professional-
> >> > services/<http://www.rsyslog.co
> >> > >> m/professional-services/>
> >> > >>
> >> > >> ______________________________**_________________
> >> > > rsyslog mailing list
> >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> >> http://lists.adisc
> >> > > on.net/mailman/listinfo/rsyslog>
> >> > > http://www.rsyslog.com/**professional-
> >> > services/<http://www.rsyslog.com
> >> > > /professional-services/>
> >> > >
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >>
> >
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 3, 2012, 8:22 AM

Post #16 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Perfect...:-) !

Hi Rainer: No problem. Taking this back to the original thread...

Have a nice weekend :-) !

Br.
~maymann

2012/2/3 Rainer Gerhards <rgerhards [at] hq>

> Michael,
>
> you really don't understand me: I do not see ANY problem at all what could
> be
> wrong in rsyslog (I don't say there is none...)! All I see is that it
> operates correctly! So tell me how should I instrument it? What to look
> for?
> And why?
>
> I don't think I can help you here without further input on why the script
> reports this failure. Don't be upset, but I won't respond any longer to
> this
> thread as it turns out to become a huge waste of time for me...
>
> I wish I had a better answer...
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Friday, February 03, 2012 5:06 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> >
> > Perhaps we could also figure this <PrivDropToUser>-thing out at the same
> > time...:-) !
> >
> > ~maymann
> >
> > 2012/2/3 Michael Maymann <michael [at] maymann>
> >
> > > Sure...:-) !
> > >
> > > ~maymann
> > >
> > >
> > >
> > > 2012/2/3 Rainer Gerhards <rgerhards [at] hq>
> > >
> > >> I just checked where the ??? could be routed in. I see one case that
> > >> happens when the DNS resolution fails. Would you be willing to run
> > >> an instrumented build to capture a debug log so that we see when this
> > >> happens?
> > >>
> > >> rainer
> > >>
> > >> > -----Original Message-----
> > >> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > >> > bounces [at] lists] On Behalf Of Michael Maymann
> > >> > Sent: Friday, February 03, 2012 11:24 AM
> > >> > To: rsyslog-users
> > >> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > >> > %IP%
> > >> >
> > >> > Hi,
> > >> >
> > >> > David: thanks for you reply...:-) !
> > >> >
> > >> > This is not a known client causing the "???" entries - I don't know
> > >> > the ip(s)/hostname(s), and this is why i would like to log IP
> > >> > instead of
> > >> hostname -
> > >> > as my guess is it is a network device without DNS entry...:-( !
> > >> >
> > >> > Can I troubleshoot on the server somehow similar... or was that the
> > >> intention
> > >> > all along...:-o !
> > >> >
> > >> > Here is the client-debug output anyways...:
> > >> > # cat messages-debug
> > >> > Debug line with all properties:
> > >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > >> > '<HOSTNAME>',
> > >> > PRI: 6,
> > >> > syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> > >> > '-', MSGID: '-',
> > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > >> > msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> > escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> > rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> >
> > >> > Debug line with all properties:
> > >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > >> > '<HOSTNAME>',
> > >> > PRI: 46,
> > >> > syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > >> > 'rsyslogd',
> > >> > PROCID: '-', MSGID: '-',
> > >> > TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > >> > msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > >> x-info="
> > >> > http://www.rsyslog.com"] (re)start'
> > >> > escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
> > >> x-pid="13432"
> > >> > x-info="http://www.rsyslog.com"] (re)start'
> > >> > rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2"
> x-pid="13432"
> > >> > x-info="http://www.rsyslog.com"] (re)start'
> > >> >
> > >> > Debug line with all properties:
> > >> > FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > >> > '<HOSTNAME>',
> > >> > PRI: 13,
> > >> > syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> > >> > '-',
> > >> > MSGID: '-',
> > >> > TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> > >> > msg: ' hej'
> > >> > escaped msg: ' hej'
> > >> > rawmsg: '<13>Feb 3 11:14:30 root: hej'
> > >> >
> > >> >
> > >> > Thanks in advance :-) !
> > >> > ~maymann
> > >> >
> > >> >
> > >> > 2012/2/3 <david [at] lang>
> > >> >
> > >> > > oops, that should have been RSYSLOG_DebugFormat template.
> > >> > >
> > >> > > David Lang
> > >> > >
> > >> > > On Thu, 2 Feb 2012, david [at] lang wrote:
> > >> > >
> > >> > > Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > >> > >> From: david [at] lang
> > >> > >>
> > >> > >> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >> > >> To: rsyslog-users <rsyslog [at] lists>
> > >> > >> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> > ==
> > >> > %IP%
> > >> > >>
> > >> > >> what does one of these messages look like if you write it out
> > >> > >> with the RSYSLOG_DEBUG template?
> > >> > >>
> > >> > >> David Lang
> > >> > >>
> > >> > >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >> > >>
> > >> > >> Date: Fri, 3 Feb 2012 07:00:26 +0100
> > >> > >>> From: Michael Maymann <michael [at] maymann>
> > >> > >>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >> > >>> To: rsyslog-users <rsyslog [at] lists>
> > >> > >>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> > >> > >>> == %IP%
> > >> > >>>
> > >> > >>> Please... Anyone?
> > >> > >>> On Feb 2, 2012 2:17 PM, "Michael Maymann"
> > <michael [at] maymann>
> > >> > wrote:
> > >> > >>>
> > >> > >>> Hi,
> > >> > >>>>
> > >> > >>>> got it started... but still ??? dir+logfiles are showing up...
> > >> > >>>> This is now my rsyslog.conf:
> > >> > >>>> #SET PRIVILEGES
> > >> > >>>> $PreserveFQDN on
> > >> > >>>> $PrivDropToGroup <GROUP>
> > >> > >>>> $PrivDropToUser <USER>
> > >> > >>>> $DirCreateMode 0750
> > >> > >>>> $FileCreateMode 0640
> > >> > >>>> $UMASK 0027
> > >> > >>>>
> > >> > >>>> #LOAD MODULES
> > >> > >>>> $ModLoad imudp
> > >> > >>>> $UDPServerRun 514
> > >> > >>>> $UDPServerAddress 127.0.0.1
> > >> > >>>> $ModLoad imtcp
> > >> > >>>> $InputTCPServerRun 514
> > >> > >>>>
> > >> > >>>> #SET DESTINATION FOR LOGS
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >> > >>>> $MONTH%_messages"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_*
> > >> > >>>> *secure"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_**maillog"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_**
> > >> > >>>> cron"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_**spooler"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_**
> > >> > >>>> boot.log"
> > >> > >>>> $template
> > >> > >>>>
> > >> >
> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_**
> > >> > >>>> traps"
> > >> > >>>>
> > >> > >>>> $template
> > >> > >>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>> YEAR%.%$MONTH%_messages"
> > >> > >>>> $template
> > >> > >>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>> YEAR%.%$MONTH%_secure"
> > >> > >>>> $template
> > >> > >>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>> YEAR%.%$MONTH%_maillog"
> > >> > >>>> $template
> > >> > >>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>> MONTH%_cron"
> > >> > >>>> $template
> > >> > >>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>> YEAR%.%$MONTH%_spooler"
> > >> > >>>> $template
> > >> > >>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>> MONTH%_boot.log"
> > >> > >>>> $template
> > >> > >>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>> MONTH%_traps"
> > >> > >>>>
> > >> > >>>> #SET LOGGING CONDITIONS
> > >> > >>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > >> > >>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > >> > >>>> $fromhost != '???' then ?DYNsecure if $syslogfacility-text ==
> 'mail'
> > and $fromhost != '???'
> > >> > >>>> then ?DYNmaillog if $syslogfacility-text == 'cron' and
> > >> > >>>> $fromhost != '???' then ?DYNcron if $syslogseverity-text ==
> > >> > >>>> 'crit' and $fromhost != '???' then ?DYNspooler if
> > >> > >>>> $syslogfacility-text == 'local7' and $fromhost != '???' then
> > >> > >>>> ?DYNboot if $syslogfacility-text == 'local6' and
> $syslogseverity-text
> > == 'WARNING'
> > >> > >>>> and $fromhost != '???' then ?DYNtraps
> > >> > >>>>
> > >> > >>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > >> > >>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > >> > >>>> $fromhost == '???' then ?DYNIPsecure if $syslogfacility-text
> > >> > >>>> == 'mail' and $fromhost == '???' then ?DYNIPmaillog if
> > >> > >>>> $syslogfacility-text == 'cron' and $fromhost == '???' then
> > >> > >>>> ?DYNIPcron if $syslogseverity-text == 'crit' and $fromhost ==
> > >> > >>>> '???' then ?DYNIPspooler if $syslogfacility-text == 'local7'
> > >> > >>>> and $fromhost == '???' then ?DYNIPboot if $syslogfacility-text
> > >> > >>>> == 'local6' and $syslogseverity-text == 'WARNING'
> > >> > >>>> and $fromhost == '???' then ?DYNIPtraps
> > >> > >>>>
> > >> > >>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> > >> > >>>> all creates ??? dir+files...
> > >> > >>>> What variable should I use to handle this properly ?
> > >> > >>>>
> > >> > >>>>
> > >> > >>>> Thanks in advance :-) !
> > >> > >>>> ~maymann
> > >> > >>>>
> > >> > >>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > >> > >>>>
> > >> > >>>> Hi,
> > >> > >>>>>
> > >> > >>>>> David: thanks for your reply...
> > >> > >>>>> Here is my new rsyslog.conf:
> > >> > >>>>> #SET PRIVILEGES
> > >> > >>>>> $PreserveFQDN on
> > >> > >>>>> $PrivDropToGroup <GROUP>
> > >> > >>>>> $PrivDropToUser <USER>
> > >> > >>>>> $DirCreateMode 0750
> > >> > >>>>> $FileCreateMode 0640
> > >> > >>>>> $UMASK 0027
> > >> > >>>>>
> > >> > >>>>> #LOAD MODULES
> > >> > >>>>> $ModLoad imudp
> > >> > >>>>> $UDPServerRun 514
> > >> > >>>>> $UDPServerAddress 127.0.0.1
> > >> > >>>>> $ModLoad imtcp
> > >> > >>>>> $InputTCPServerRun 514
> > >> > >>>>>
> > >> > >>>>> #SET DESTINATION FOR LOGS
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
> > >> > >>>>> $MONTH%_messages"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_**secure"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_**
> > >> > >>>>> maillog"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_**
> > >> > >>>>> cron"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MO
> > >> > NTH%_**
> > >> > >>>>> spooler"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_**boot.log"
> > >> > >>>>> $template
> > >> > >>>>>
> > >> >
> > DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONT
> > >> > H%_*
> > >> > >>>>> *traps"
> > >> > >>>>>
> > >> > >>>>> $template
> > >> > >>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>>> YEAR%.%$MONTH%_messages"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>>> YEAR%.%$MONTH%_secure"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>>> YEAR%.%$MONTH%_maillog"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>>> MONTH%_cron"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-
> > >> > IP%_%$**
> > >> > >>>>> YEAR%.%$MONTH%_spooler"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>>> MONTH%_boot.log"
> > >> > >>>>> $template
> > >> > >>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-
> > >> > IP%_%$YEAR%.%$**
> > >> > >>>>> MONTH%_traps"
> > >> > >>>>>
> > >> > >>>>> #SET LOGGING CONDITIONS
> > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > >> > >>>>> ?DYNmessages if $syslogfacility-text == 'authpriv' and
> > >> > >>>>> %FROMHOST% != '???' then ?DYNsecure if $syslogfacility-text
> > >> > >>>>> == 'mail' and %FROMHOST% != '???' then ?DYNmaillog if
> > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> > >> > >>>>> ?DYNcron if $syslogseverity-text == 'crit' and %FROMHOST% !=
> > >> > >>>>> '???' then ?DYNspooler if $syslogfacility-text == 'local7'
> > >> > >>>>> and %FROMHOST% != '???' then ?DYNboot if $syslogfacility-text
> > >> > >>>>> == 'local6' and $syslogseverity-text == 'WARNING'
> > >> > >>>>> and %FROMHOST% != '???' then ?DYNtraps
> > >> > >>>>>
> > >> > >>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > >> > >>>>> ?DYNIPmessages if $syslogfacility-text == 'authpriv' and
> > >> > >>>>> %FROMHOST% == '???' then ?DYNIPsecure if $syslogfacility-text
> > >> > >>>>> == 'mail' and %FROMHOST% == '???' then ?DYNIPmaillog if
> > >> > >>>>> $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > >> > >>>>> ?DYNIPcron if $syslogseverity-text == 'crit' and %FROMHOST%
> > >> > >>>>> == '???' then ?DYNIPspooler if $syslogfacility-text ==
> > >> > >>>>> 'local7' and %FROMHOST% == '???' then ?DYNIPboot if
> > >> > >>>>> $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > >> > >>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > >> > >>>>>
> > >> > >>>>> but it fails...:
> > >> > >>>>> # service rsyslog start
> > >> > >>>>> Starting system logger: rsyslogd: run failed with error -2207
> > >> > >>>>> (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn
> > >> > >>>>> what that number
> > >> > >>>>> means)
> > >> > >>>>> [
> > >> > >>>>> OK ]
> > >> > >>>>>
> > >> > >>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > >> > >>>>> correct or how is this done...
> > >> > >>>>>
> > >> > >>>>>
> > >> > >>>>> Thanks in advance :-) !
> > >> > >>>>> ~maymann
> > >> > >>>>>
> > >> > >>>>>
> > >> > >>>>> 2012/2/1 <david [at] lang>
> > >> > >>>>>
> > >> > >>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > >> > >>>>>
> > >> > >>>>>>
> > >> > >>>>>> Hi,
> > >> > >>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>> I want to log information about hosts that are not logging
> > >> > >>>>>>> with correct HOSTNAME.
> > >> > >>>>>>> In my current setup, I get a dir "???" where these host(s)
> > >> > >>>>>>> are logging to...
> > >> > >>>>>>>
> > >> > >>>>>>> I would like to change this to the hosts IP instead,
> > >> > >>>>>>> something
> > >> like:
> > >> > >>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > >> > >>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>> rsyslog cannot do what you are asking. It can't assign a
> > >> > >>>>>> value to a property.
> > >> > >>>>>>
> > >> > >>>>>> what you can do is to setup a different template and then if
> > >> > >>>>>> %fromhost% is your special pattern you can log with this
> > >> > >>>>>> different template.
> > >> > >>>>>>
> > >> > >>>>>> David Lang
> > >> > >>>>>>
> > ______________________________****_________________
> > >> > >>>>>> rsyslog mailing list
> > >> > >>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<
> > >> http://list
> > >> > >>>>>> s.adiscon.net/**mailman/listinfo/rsyslog>
> > >> > >>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<
> > >> http://lis
> > >> > >>>>>> ts.adiscon.net/mailman/listinfo/rsyslog>
> > >> > >>>>>> >
> > >> > >>>>>> http://www.rsyslog.com/****professional-
> > >> > services/<http://www.rsys
> > >> > >>>>>> log.com/**professional-services/>
> > >> > >>>>>> <http://**www.rsyslog.com/professional-
> > >> > **services/<http://www.rsy
> > >> > >>>>>> slog.com/professional-services/>
> > >> > >>>>>> >
> > >> > >>>>>>
> > >> > >>>>>>
> > >> > >>>>>
> > >> > >>>>>
> > >> > >>>> ______________________________**_________________
> > >> > >>> rsyslog mailing list
> > >> > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> > >> http://lists.adi
> > >> > >>> scon.net/mailman/listinfo/rsyslog>
> > >> > >>> http://www.rsyslog.com/**professional-
> > >> > services/<http://www.rsyslog.c
> > >> > >>> om/professional-services/>
> > >> > >>>
> > >> > >>> ______________________________**_________________
> > >> > >> rsyslog mailing list
> > >> > >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> > >> http://lists.adis
> > >> > >> con.net/mailman/listinfo/rsyslog>
> > >> > >> http://www.rsyslog.com/**professional-
> > >> > services/<http://www.rsyslog.co
> > >> > >> m/professional-services/>
> > >> > >>
> > >> > >> ______________________________**_________________
> > >> > > rsyslog mailing list
> > >> > > http://lists.adiscon.net/**mailman/listinfo/rsyslog<
> > >> http://lists.adisc
> > >> > > on.net/mailman/listinfo/rsyslog>
> > >> > > http://www.rsyslog.com/**professional-
> > >> > services/<http://www.rsyslog.com
> > >> > > /professional-services/>
> > >> > >
> > >> > _______________________________________________
> > >> > rsyslog mailing list
> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> > http://www.rsyslog.com/professional-services/
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >>
> > >
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 3, 2012, 7:39 PM

Post #17 of 25 (339 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

I was actually meaning for you to do this on the server where you are
seeing the ??? show up.

but this does show that the sending machine thinks it's doing everythig
correcty (assuming the <HOSTNAME> you put in the message below is actually
correct)

what I would want to see from the server log is one of the messages with
the ??? in it that you are trying to fix.

David Lang

On Fri, 3 Feb 2012, Michael Maymann wrote:

> Hi,
>
> David: thanks for you reply...:-) !
>
> This is not a known client causing the "???" entries - I don't know the
> ip(s)/hostname(s), and this is why i would like to log IP instead of
> hostname - as my guess is it is a network device without DNS entry...:-( !
>
> Can I troubleshoot on the server somehow similar... or was that the
> intention all along...:-o !
>
> Here is the client-debug output anyways...:
> # cat messages-debug
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
> PRI: 6,
> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> '-', MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
> PRI: 46,
> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
> PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432" x-info="
> http://www.rsyslog.com"] (re)start'
> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> x-info="http://www.rsyslog.com"] (re)start'
> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> x-info="http://www.rsyslog.com"] (re)start'
>
> Debug line with all properties:
> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
> PRI: 13,
> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> msg: ' hej'
> escaped msg: ' hej'
> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/3 <david [at] lang>
>
>> oops, that should have been RSYSLOG_DebugFormat template.
>>
>> David Lang
>>
>> On Thu, 2 Feb 2012, david [at] lang wrote:
>>
>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>>> From: david [at] lang
>>>
>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>> To: rsyslog-users <rsyslog [at] lists>
>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>
>>> what does one of these messages look like if you write it out with the
>>> RSYSLOG_DEBUG template?
>>>
>>> David Lang
>>>
>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>
>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>>> From: Michael Maymann <michael [at] maymann>
>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>> To: rsyslog-users <rsyslog [at] lists>
>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>
>>>> Please... Anyone?
>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> got it started... but still ??? dir+logfiles are showing up...
>>>>> This is now my rsyslog.conf:
>>>>> #SET PRIVILEGES
>>>>> $PreserveFQDN on
>>>>> $PrivDropToGroup <GROUP>
>>>>> $PrivDropToUser <USER>
>>>>> $DirCreateMode 0750
>>>>> $FileCreateMode 0640
>>>>> $UMASK 0027
>>>>>
>>>>> #LOAD MODULES
>>>>> $ModLoad imudp
>>>>> $UDPServerRun 514
>>>>> $UDPServerAddress 127.0.0.1
>>>>> $ModLoad imtcp
>>>>> $InputTCPServerRun 514
>>>>>
>>>>> #SET DESTINATION FOR LOGS
>>>>> $template
>>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>> $MONTH%_messages"
>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>> *secure"
>>>>> $template
>>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**maillog"
>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> cron"
>>>>> $template
>>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**spooler"
>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> boot.log"
>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>> traps"
>>>>>
>>>>> $template
>>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_messages"
>>>>> $template
>>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_secure"
>>>>> $template
>>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_maillog"
>>>>> $template
>>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_cron"
>>>>> $template
>>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>> YEAR%.%$MONTH%_spooler"
>>>>> $template
>>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_boot.log"
>>>>> $template
>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>> MONTH%_traps"
>>>>>
>>>>> #SET LOGGING CONDITIONS
>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>>>> ?DYNsecure
>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>>> ?DYNmaillog
>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>>> ?DYNspooler
>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>> 'WARNING'
>>>>> and $fromhost != '???' then ?DYNtraps
>>>>>
>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>>>> ?DYNIPsecure
>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>>> ?DYNIPmaillog
>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>>> ?DYNIPspooler
>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>>> ?DYNIPboot
>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>> 'WARNING'
>>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>>
>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>>>>> creates
>>>>> ??? dir+files...
>>>>> What variable should I use to handle this properly ?
>>>>>
>>>>>
>>>>> Thanks in advance :-) !
>>>>> ~maymann
>>>>>
>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> David: thanks for your reply...
>>>>>> Here is my new rsyslog.conf:
>>>>>> #SET PRIVILEGES
>>>>>> $PreserveFQDN on
>>>>>> $PrivDropToGroup <GROUP>
>>>>>> $PrivDropToUser <USER>
>>>>>> $DirCreateMode 0750
>>>>>> $FileCreateMode 0640
>>>>>> $UMASK 0027
>>>>>>
>>>>>> #LOAD MODULES
>>>>>> $ModLoad imudp
>>>>>> $UDPServerRun 514
>>>>>> $UDPServerAddress 127.0.0.1
>>>>>> $ModLoad imtcp
>>>>>> $InputTCPServerRun 514
>>>>>>
>>>>>> #SET DESTINATION FOR LOGS
>>>>>> $template
>>>>>> DYNmessages,"PATH_TO/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>>>>>> $MONTH%_messages"
>>>>>> $template
>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**secure"
>>>>>> $template
>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> maillog"
>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> cron"
>>>>>> $template
>>>>>> DYNspooler,"PATH_TO/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> spooler"
>>>>>> $template
>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>>> *traps"
>>>>>>
>>>>>> $template
>>>>>> DYNIPmessages,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>>> YEAR%.%$MONTH%_messages"
>>>>>> $template
>>>>>> DYNIPsecure,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>>> YEAR%.%$MONTH%_secure"
>>>>>> $template
>>>>>> DYNIPmaillog,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>> $template
>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>>> MONTH%_cron"
>>>>>> $template
>>>>>> DYNIPspooler,"PATH_TO/%**FROMHOST-IP%/%FROMHOST-IP%_%$**
>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>> $template
>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>>> MONTH%_boot.log"
>>>>>> $template
>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-**IP%/%FROMHOST-IP%_%$YEAR%.%$**
>>>>>> MONTH%_traps"
>>>>>>
>>>>>> #SET LOGGING CONDITIONS
>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>>>> ?DYNsecure
>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>>> ?DYNmaillog
>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then ?DYNcron
>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>>> ?DYNspooler
>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
>>>>>> ?DYNboot
>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>>
>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>>>> ?DYNIPsecure
>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>>> ?DYNIPmaillog
>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>>> ?DYNIPcron
>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>>> ?DYNIPspooler
>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>>>> ?DYNIPboot
>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>>
>>>>>> but it fails...:
>>>>>> # service rsyslog start
>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>>>>>> number
>>>>>> means)
>>>>>> [ OK ]
>>>>>>
>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or
>>>>>> how
>>>>>> is this done...
>>>>>>
>>>>>>
>>>>>> Thanks in advance :-) !
>>>>>> ~maymann
>>>>>>
>>>>>>
>>>>>> 2012/2/1 <david [at] lang>
>>>>>>
>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>>
>>>>>>>> I want to log information about hosts that are not logging with
>>>>>>>> correct
>>>>>>>> HOSTNAME.
>>>>>>>> In my current setup, I get a dir "???" where these host(s) are
>>>>>>>> logging
>>>>>>>> to...
>>>>>>>>
>>>>>>>> I would like to change this to the hosts IP instead, something like:
>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>>
>>>>>>>>
>>>>>>> rsyslog cannot do what you are asking. It can't assign a value to a
>>>>>>> property.
>>>>>>>
>>>>>>> what you can do is to setup a different template and then if
>>>>>>> %fromhost%
>>>>>>> is your special pattern you can log with this different template.
>>>>>>>
>>>>>>> David Lang
>>>>>>> ______________________________****_________________
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>>
>>>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 4, 2012, 12:09 AM

Post #18 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi,

SOLVED...

got it working...:-) !

I enabled debugging (David: thanks for the hint) and this was one of the
entries:
---
Debug line with all properties:
FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID
unknown)(769216)'
escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
2(VID unknown)(769216)'
inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
---
The <IP> from the last line was ofcause the same as in the the logfiles...
I confuse this to be a client of a rsyslog-client twice... :-o !

I could hereafter easily edit my /etc/rsyslog.conf respectively:
---
#SET PRIVILEGES
$PreserveFQDN on
$PrivDropToGroup <GROUP>
$PrivDropToUser <USER>
$DirCreateMode 0750
$FileCreateMode 0640
$UMASK 0027

#LOAD MODULES
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
$ModLoad imtcp
$InputTCPServerRun 514

#DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
enable...)
#*.info;mail.none;authpriv.none;cron.none
/var/log/messages-debug;RSYSLOG_DebugFormat

#SET DESTINATION FOR LOGS
$template
DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
$template
DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
$template
DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
$template DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
$template
DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
$template
DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
$template DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"

$template
DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
$template
DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
$template
DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
$template DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
$template
DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
$template
DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
$template
DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"

#SET LOGGING CONDITIONS
if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure
if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost != '???' then ?DYNtraps

if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
?DYNIPsecure
if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
and $fromhost == '???' then ?DYNIPtraps
---

David+Rainer: thanks for your help... much appreciated...:-) !

Br.
~maymann

2012/2/4 <david [at] lang>

> I was actually meaning for you to do this on the server where you are
> seeing the ??? show up.
>
> but this does show that the sending machine thinks it's doing everythig
> correcty (assuming the <HOSTNAME> you put in the message below is actually
> correct)
>
> what I would want to see from the server log is one of the messages with
> the ??? in it that you are trying to fix.
>
>
> David Lang
>
> On Fri, 3 Feb 2012, Michael Maymann wrote:
>
> Hi,
>>
>> David: thanks for you reply...:-) !
>>
>> This is not a known client causing the "???" entries - I don't know the
>> ip(s)/hostname(s), and this is why i would like to log IP instead of
>> hostname - as my guess is it is a network device without DNS entry...:-( !
>>
>> Can I troubleshoot on the server somehow similar... or was that the
>> intention all along...:-o !
>>
>> Here is the client-debug output anyways...:
>> # cat messages-debug
>> Debug line with all properties:
>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>> PRI: 6,
>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>> '-', MSGID: '-',
>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>
>> Debug line with all properties:
>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>> PRI: 46,
>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>> PROCID: '-', MSGID: '-',
>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> x-info="
>> http://www.rsyslog.com"] (re)start'
>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> x-info="http://www.rsyslog.com**"] (re)start'
>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>> x-info="http://www.rsyslog.com**"] (re)start'
>>
>> Debug line with all properties:
>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>> PRI: 13,
>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
>> MSGID: '-',
>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
>> msg: ' hej'
>> escaped msg: ' hej'
>> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>>
>>
>> Thanks in advance :-) !
>> ~maymann
>>
>>
>> 2012/2/3 <david [at] lang>
>>
>> oops, that should have been RSYSLOG_DebugFormat template.
>>>
>>> David Lang
>>>
>>> On Thu, 2 Feb 2012, david [at] lang wrote:
>>>
>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>>>
>>>> From: david [at] lang
>>>>
>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>> To: rsyslog-users <rsyslog [at] lists>
>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>
>>>> what does one of these messages look like if you write it out with the
>>>> RSYSLOG_DEBUG template?
>>>>
>>>> David Lang
>>>>
>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>>
>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>>>
>>>>> From: Michael Maymann <michael [at] maymann>
>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>>
>>>>> Please... Anyone?
>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>>
>>>>>> got it started... but still ??? dir+logfiles are showing up...
>>>>>> This is now my rsyslog.conf:
>>>>>> #SET PRIVILEGES
>>>>>> $PreserveFQDN on
>>>>>> $PrivDropToGroup <GROUP>
>>>>>> $PrivDropToUser <USER>
>>>>>> $DirCreateMode 0750
>>>>>> $FileCreateMode 0640
>>>>>> $UMASK 0027
>>>>>>
>>>>>> #LOAD MODULES
>>>>>> $ModLoad imudp
>>>>>> $UDPServerRun 514
>>>>>> $UDPServerAddress 127.0.0.1
>>>>>> $ModLoad imtcp
>>>>>> $InputTCPServerRun 514
>>>>>>
>>>>>> #SET DESTINATION FOR LOGS
>>>>>> $template
>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>> $MONTH%_messages"
>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
>>>>>> *secure"
>>>>>> $template
>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>> _**maillog"
>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> cron"
>>>>>> $template
>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>> _**spooler"
>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>> boot.log"
>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>> traps"
>>>>>>
>>>>>> $template
>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>> YEAR%.%$MONTH%_messages"
>>>>>> $template
>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>> YEAR%.%$MONTH%_secure"
>>>>>> $template
>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>> $template
>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>> MONTH%_cron"
>>>>>> $template
>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>> $template
>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>> MONTH%_boot.log"
>>>>>> $template
>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>> MONTH%_traps"
>>>>>>
>>>>>> #SET LOGGING CONDITIONS
>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>>>>> ?DYNsecure
>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>>>> ?DYNmaillog
>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>>>> ?DYNspooler
>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
>>>>>> ?DYNboot
>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>> and $fromhost != '???' then ?DYNtraps
>>>>>>
>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>>>>> ?DYNIPsecure
>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>>>> ?DYNIPmaillog
>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
>>>>>> ?DYNIPcron
>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>>>> ?DYNIPspooler
>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>>>> ?DYNIPboot
>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>> 'WARNING'
>>>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>>>
>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>>>>>> creates
>>>>>> ??? dir+files...
>>>>>> What variable should I use to handle this properly ?
>>>>>>
>>>>>>
>>>>>> Thanks in advance :-) !
>>>>>> ~maymann
>>>>>>
>>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>>
>>>>>>> David: thanks for your reply...
>>>>>>> Here is my new rsyslog.conf:
>>>>>>> #SET PRIVILEGES
>>>>>>> $PreserveFQDN on
>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>> $PrivDropToUser <USER>
>>>>>>> $DirCreateMode 0750
>>>>>>> $FileCreateMode 0640
>>>>>>> $UMASK 0027
>>>>>>>
>>>>>>> #LOAD MODULES
>>>>>>> $ModLoad imudp
>>>>>>> $UDPServerRun 514
>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>> $ModLoad imtcp
>>>>>>> $InputTCPServerRun 514
>>>>>>>
>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>> $template
>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>> $MONTH%_messages"
>>>>>>> $template
>>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>> **secure"
>>>>>>>
>>>>>>> $template
>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>> maillog"
>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>> cron"
>>>>>>> $template
>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>> spooler"
>>>>>>> $template
>>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>> boot.log"
>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>>>> *traps"
>>>>>>>
>>>>>>> $template
>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>> $template
>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>> $template
>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>> $template
>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_cron"
>>>>>>> $template
>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>> $template
>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_boot.log"
>>>>>>> $template
>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_traps"
>>>>>>>
>>>>>>> #SET LOGGING CONDITIONS
>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>>>>> ?DYNsecure
>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>>>> ?DYNmaillog
>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
>>>>>>> ?DYNcron
>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>>>> ?DYNspooler
>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
>>>>>>> ?DYNboot
>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>> 'WARNING'
>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>>>
>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>>>>> ?DYNIPsecure
>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>>>> ?DYNIPmaillog
>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>>>> ?DYNIPcron
>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>>>> ?DYNIPspooler
>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>>>>> ?DYNIPboot
>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>> 'WARNING'
>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>>>
>>>>>>> but it fails...:
>>>>>>> # service rsyslog start
>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>>>>>>> number
>>>>>>> means)
>>>>>>> [ OK ]
>>>>>>>
>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or
>>>>>>> how
>>>>>>> is this done...
>>>>>>>
>>>>>>>
>>>>>>> Thanks in advance :-) !
>>>>>>> ~maymann
>>>>>>>
>>>>>>>
>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>
>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>>> I want to log information about hosts that are not logging with
>>>>>>>>> correct
>>>>>>>>> HOSTNAME.
>>>>>>>>> In my current setup, I get a dir "???" where these host(s) are
>>>>>>>>> logging
>>>>>>>>> to...
>>>>>>>>>
>>>>>>>>> I would like to change this to the hosts IP instead, something
>>>>>>>>> like:
>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value to
>>>>>>>> a
>>>>>>>> property.
>>>>>>>>
>>>>>>>> what you can do is to setup a different template and then if
>>>>>>>> %fromhost%
>>>>>>>> is your special pattern you can log with this different template.
>>>>>>>>
>>>>>>>> David Lang
>>>>>>>> ______________________________******_________________
>>>>>>>> rsyslog mailing list
>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>>> >
>>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>> >
>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>> >
>>>>>>>> <http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>>>>> <http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>> >
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ______________________________****_________________
>>>>>>
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> >
>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>> >
>>>>>
>>>>> ______________________________****_________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> >
>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>> >
>>>>
>>>> ______________________________****_________________
>>>>
>>> rsyslog mailing list
>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> >
>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>> >
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 4, 2012, 12:27 AM

Post #19 of 25 (334 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

If Rainer creates the instramented version it would still be good to see
what's going on. I would say that for fromhost-ip to be '???' is always a
bug, and if a failed DNS lookup makes the fromhost be '???' instead of the
IP address, I would also consider that a bug.

It would be good to track down what's actually happening here.

David Lang

On Sat, 4 Feb 2012, Michael
Maymann wrote:

> Hi,
>
> SOLVED...
>
> got it working...:-) !
>
> I enabled debugging (David: thanks for the hint) and this was one of the
> entries:
> ---
> Debug line with all properties:
> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID
> unknown)(769216)'
> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> 2(VID unknown)(769216)'
> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
> mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
> ---
> The <IP> from the last line was ofcause the same as in the the logfiles...
> I confuse this to be a client of a rsyslog-client twice... :-o !
>
> I could hereafter easily edit my /etc/rsyslog.conf respectively:
> ---
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
> enable...)
> #*.info;mail.none;authpriv.none;cron.none
> /var/log/messages-debug;RSYSLOG_DebugFormat
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> $template DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then ?DYNsecure
> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and $fromhost == '???' then ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
> if $syslogseverity-text == 'crit' and $fromhost == '???' then ?DYNIPspooler
> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
> and $fromhost == '???' then ?DYNIPtraps
> ---
>
> David+Rainer: thanks for your help... much appreciated...:-) !
>
> Br.
> ~maymann
>
> 2012/2/4 <david [at] lang>
>
>> I was actually meaning for you to do this on the server where you are
>> seeing the ??? show up.
>>
>> but this does show that the sending machine thinks it's doing everythig
>> correcty (assuming the <HOSTNAME> you put in the message below is actually
>> correct)
>>
>> what I would want to see from the server log is one of the messages with
>> the ??? in it that you are trying to fix.
>>
>>
>> David Lang
>>
>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>
>> Hi,
>>>
>>> David: thanks for you reply...:-) !
>>>
>>> This is not a known client causing the "???" entries - I don't know the
>>> ip(s)/hostname(s), and this is why i would like to log IP instead of
>>> hostname - as my guess is it is a network device without DNS entry...:-( !
>>>
>>> Can I troubleshoot on the server somehow similar... or was that the
>>> intention all along...:-o !
>>>
>>> Here is the client-debug output anyways...:
>>> # cat messages-debug
>>> Debug line with all properties:
>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>>> PRI: 6,
>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>>> '-', MSGID: '-',
>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>
>>> Debug line with all properties:
>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>>> PRI: 46,
>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>>> PROCID: '-', MSGID: '-',
>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>> x-info="
>>> http://www.rsyslog.com"] (re)start'
>>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>> x-info="http://www.rsyslog.com**"] (re)start'
>>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>> x-info="http://www.rsyslog.com**"] (re)start'
>>>
>>> Debug line with all properties:
>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME: '<HOSTNAME>',
>>> PRI: 13,
>>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
>>> MSGID: '-',
>>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
>>> msg: ' hej'
>>> escaped msg: ' hej'
>>> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>>>
>>>
>>> Thanks in advance :-) !
>>> ~maymann
>>>
>>>
>>> 2012/2/3 <david [at] lang>
>>>
>>> oops, that should have been RSYSLOG_DebugFormat template.
>>>>
>>>> David Lang
>>>>
>>>> On Thu, 2 Feb 2012, david [at] lang wrote:
>>>>
>>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>>>>
>>>>> From: david [at] lang
>>>>>
>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>>
>>>>> what does one of these messages look like if you write it out with the
>>>>> RSYSLOG_DEBUG template?
>>>>>
>>>>> David Lang
>>>>>
>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>>>
>>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>>>>
>>>>>> From: Michael Maymann <michael [at] maymann>
>>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>>>
>>>>>> Please... Anyone?
>>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>>
>>>>>>> got it started... but still ??? dir+logfiles are showing up...
>>>>>>> This is now my rsyslog.conf:
>>>>>>> #SET PRIVILEGES
>>>>>>> $PreserveFQDN on
>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>> $PrivDropToUser <USER>
>>>>>>> $DirCreateMode 0750
>>>>>>> $FileCreateMode 0640
>>>>>>> $UMASK 0027
>>>>>>>
>>>>>>> #LOAD MODULES
>>>>>>> $ModLoad imudp
>>>>>>> $UDPServerRun 514
>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>> $ModLoad imtcp
>>>>>>> $InputTCPServerRun 514
>>>>>>>
>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>> $template
>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>> $MONTH%_messages"
>>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
>>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
>>>>>>> *secure"
>>>>>>> $template
>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>> _**maillog"
>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>> cron"
>>>>>>> $template
>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>> _**spooler"
>>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>> boot.log"
>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>> traps"
>>>>>>>
>>>>>>> $template
>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>> $template
>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>> $template
>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>> $template
>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_cron"
>>>>>>> $template
>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>> $template
>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_boot.log"
>>>>>>> $template
>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>> MONTH%_traps"
>>>>>>>
>>>>>>> #SET LOGGING CONDITIONS
>>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>>>>>> ?DYNsecure
>>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>>>>> ?DYNmaillog
>>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>>>>> ?DYNspooler
>>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
>>>>>>> ?DYNboot
>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>> 'WARNING'
>>>>>>> and $fromhost != '???' then ?DYNtraps
>>>>>>>
>>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>>>>>> ?DYNIPsecure
>>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>>>>> ?DYNIPmaillog
>>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
>>>>>>> ?DYNIPcron
>>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>>>>> ?DYNIPspooler
>>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>>>>> ?DYNIPboot
>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>> 'WARNING'
>>>>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>>>>
>>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>>>>>>> creates
>>>>>>> ??? dir+files...
>>>>>>> What variable should I use to handle this properly ?
>>>>>>>
>>>>>>>
>>>>>>> Thanks in advance :-) !
>>>>>>> ~maymann
>>>>>>>
>>>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>>
>>>>>>>> David: thanks for your reply...
>>>>>>>> Here is my new rsyslog.conf:
>>>>>>>> #SET PRIVILEGES
>>>>>>>> $PreserveFQDN on
>>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>>> $PrivDropToUser <USER>
>>>>>>>> $DirCreateMode 0750
>>>>>>>> $FileCreateMode 0640
>>>>>>>> $UMASK 0027
>>>>>>>>
>>>>>>>> #LOAD MODULES
>>>>>>>> $ModLoad imudp
>>>>>>>> $UDPServerRun 514
>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>> $ModLoad imtcp
>>>>>>>> $InputTCPServerRun 514
>>>>>>>>
>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>> $template
>>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>> $MONTH%_messages"
>>>>>>>> $template
>>>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> **secure"
>>>>>>>>
>>>>>>>> $template
>>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>> maillog"
>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> cron"
>>>>>>>> $template
>>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>> spooler"
>>>>>>>> $template
>>>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>> boot.log"
>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>>>>> *traps"
>>>>>>>>
>>>>>>>> $template
>>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>>> $template
>>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>>> $template
>>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>>> $template
>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>>> MONTH%_cron"
>>>>>>>> $template
>>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>>> $template
>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>>> MONTH%_boot.log"
>>>>>>>> $template
>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-IP%_%$YEAR%.%$****
>>>>>>>> MONTH%_traps"
>>>>>>>>
>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>>>>>> ?DYNsecure
>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>>>>> ?DYNmaillog
>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
>>>>>>>> ?DYNcron
>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>>>>> ?DYNspooler
>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
>>>>>>>> ?DYNboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>> 'WARNING'
>>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>>>>
>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then ?DYNIPmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>>>>>> ?DYNIPsecure
>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>>>>> ?DYNIPmaillog
>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>>>>> ?DYNIPcron
>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>>>>> ?DYNIPspooler
>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>>>>>> ?DYNIPboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>> 'WARNING'
>>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>>>>
>>>>>>>> but it fails...:
>>>>>>>> # service rsyslog start
>>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>>>>>>>> number
>>>>>>>> means)
>>>>>>>> [ OK ]
>>>>>>>>
>>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct or
>>>>>>>> how
>>>>>>>> is this done...
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks in advance :-) !
>>>>>>>> ~maymann
>>>>>>>>
>>>>>>>>
>>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>>
>>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I want to log information about hosts that are not logging with
>>>>>>>>>> correct
>>>>>>>>>> HOSTNAME.
>>>>>>>>>> In my current setup, I get a dir "???" where these host(s) are
>>>>>>>>>> logging
>>>>>>>>>> to...
>>>>>>>>>>
>>>>>>>>>> I would like to change this to the hosts IP instead, something
>>>>>>>>>> like:
>>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value to
>>>>>>>>> a
>>>>>>>>> property.
>>>>>>>>>
>>>>>>>>> what you can do is to setup a different template and then if
>>>>>>>>> %fromhost%
>>>>>>>>> is your special pattern you can log with this different template.
>>>>>>>>>
>>>>>>>>> David Lang
>>>>>>>>> ______________________________******_________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>>>>>
>>>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>>>>
>>>>>>>>> <http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>>>>>> <http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ______________________________****_________________
>>>>>>>
>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>
>>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>>
>>>>>> ______________________________****_________________
>>>>>>
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>
>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>>
>>>>>
>>>>> ______________________________****_________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>
>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 4, 2012, 12:36 AM

Post #20 of 25 (333 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi,

sure, lets give it a go...:-) !

~maymann

2012/2/4 <david [at] lang>

> If Rainer creates the instramented version it would still be good to see
> what's going on. I would say that for fromhost-ip to be '???' is always a
> bug, and if a failed DNS lookup makes the fromhost be '???' instead of the
> IP address, I would also consider that a bug.
>
> It would be good to track down what's actually happening here.
>
> David Lang
>
>
> On Sat, 4 Feb 2012, Michael Maymann wrote:
>
> Hi,
>>
>> SOLVED...
>>
>> got it working...:-) !
>>
>> I enabled debugging (David: thanks for the hint) and this was one of the
>> entries:
>> ---
>> Debug line with all properties:
>> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
>> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
>> MSGID: '-',
>> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
>> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID
>> unknown)(769216)'
>> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
>> 2(VID unknown)(769216)'
>> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
>> mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
>> ---
>> The <IP> from the last line was ofcause the same as in the the logfiles...
>> I confuse this to be a client of a rsyslog-client twice... :-o !
>>
>> I could hereafter easily edit my /etc/rsyslog.conf respectively:
>> ---
>> #SET PRIVILEGES
>> $PreserveFQDN on
>> $PrivDropToGroup <GROUP>
>> $PrivDropToUser <USER>
>> $DirCreateMode 0750
>> $FileCreateMode 0640
>> $UMASK 0027
>>
>> #LOAD MODULES
>> $ModLoad imudp
>> $UDPServerRun 514
>> $UDPServerAddress 127.0.0.1
>> $ModLoad imtcp
>> $InputTCPServerRun 514
>>
>> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
>> enable...)
>> #*.info;mail.none;authpriv.**none;cron.none
>> /var/log/messages-debug;**RSYSLOG_DebugFormat
>>
>> #SET DESTINATION FOR LOGS
>> $template
>> DYNmessages,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**
>> $MONTH%_messages"
>> $template
>> DYNsecure,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_secure"
>> $template
>> DYNmaillog,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_maillog"
>> $template DYNcron,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**
>> cron"
>> $template
>> DYNspooler,"<PATH_TO>/%**FROMHOST%/%FROMHOST%_%$YEAR%.%**$MONTH%_spooler"
>> $template
>> DYNboot,"<PATH_TO>/%FROMHOST%/**%FROMHOST%_%$YEAR%.%$MONTH%_**boot.log"
>> $template DYNtraps,"<PATH_TO>/%FROMHOST%**/%FROMHOST%_%$YEAR%.%$MONTH%_**
>> traps"
>>
>> $template
>> DYNIPmessages,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**
>> $MONTH%_messages"
>> $template
>> DYNIPsecure,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_secure"
>> $template
>> DYNIPmaillog,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**
>> $MONTH%_maillog"
>> $template DYNIPcron,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**
>> $MONTH%_cron"
>> $template
>> DYNIPspooler,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**
>> $MONTH%_spooler"
>> $template
>> DYNIPboot,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_boot.log"
>> $template
>> DYNIPtraps,"<PATH_TO>/%**HOSTNAME%/%HOSTNAME%_%$YEAR%.%**$MONTH%_traps"
>>
>> #SET LOGGING CONDITIONS
>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>> ?DYNsecure
>> if $syslogfacility-text == 'mail' and $fromhost != '???' then ?DYNmaillog
>> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
>> if $syslogseverity-text == 'crit' and $fromhost != '???' then ?DYNspooler
>> if $syslogfacility-text == 'local7' and $fromhost != '???' then ?DYNboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and $fromhost != '???' then ?DYNtraps
>>
>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>> ?DYNIPsecure
>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>> ?DYNIPmaillog
>> if $syslogfacility-text == 'cron' and $fromhost == '???' then ?DYNIPcron
>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>> ?DYNIPspooler
>> if $syslogfacility-text == 'local7' and $fromhost == '???' then ?DYNIPboot
>> if $syslogfacility-text == 'local6' and $syslogseverity-text == 'WARNING'
>> and $fromhost == '???' then ?DYNIPtraps
>> ---
>>
>> David+Rainer: thanks for your help... much appreciated...:-) !
>>
>> Br.
>> ~maymann
>>
>> 2012/2/4 <david [at] lang>
>>
>> I was actually meaning for you to do this on the server where you are
>>> seeing the ??? show up.
>>>
>>> but this does show that the sending machine thinks it's doing everythig
>>> correcty (assuming the <HOSTNAME> you put in the message below is
>>> actually
>>> correct)
>>>
>>> what I would want to see from the server log is one of the messages with
>>> the ??? in it that you are trying to fix.
>>>
>>>
>>> David Lang
>>>
>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>
>>> Hi,
>>>
>>>>
>>>> David: thanks for you reply...:-) !
>>>>
>>>> This is not a known client causing the "???" entries - I don't know the
>>>> ip(s)/hostname(s), and this is why i would like to log IP instead of
>>>> hostname - as my guess is it is a network device without DNS
>>>> entry...:-( !
>>>>
>>>> Can I troubleshoot on the server somehow similar... or was that the
>>>> intention all along...:-o !
>>>>
>>>> Here is the client-debug output anyways...:
>>>> # cat messages-debug
>>>> Debug line with all properties:
>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>>>> '<HOSTNAME>',
>>>> PRI: 6,
>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>>>> '-', MSGID: '-',
>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>>
>>>> Debug line with all properties:
>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>>>> '<HOSTNAME>',
>>>> PRI: 46,
>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME: 'rsyslogd',
>>>> PROCID: '-', MSGID: '-',
>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>>> x-info="
>>>> http://www.rsyslog.com"] (re)start'
>>>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2"
>>>> x-pid="13432"
>>>> x-info="http://www.rsyslog.com****"] (re)start'
>>>>
>>>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>>> x-info="http://www.rsyslog.com****"] (re)start'
>>>>
>>>>
>>>> Debug line with all properties:
>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>>>> '<HOSTNAME>',
>>>> PRI: 13,
>>>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-',
>>>> MSGID: '-',
>>>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
>>>> msg: ' hej'
>>>> escaped msg: ' hej'
>>>> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>>>>
>>>>
>>>> Thanks in advance :-) !
>>>> ~maymann
>>>>
>>>>
>>>> 2012/2/3 <david [at] lang>
>>>>
>>>> oops, that should have been RSYSLOG_DebugFormat template.
>>>>
>>>>>
>>>>> David Lang
>>>>>
>>>>> On Thu, 2 Feb 2012, david [at] lang wrote:
>>>>>
>>>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>>>>>
>>>>> From: david [at] lang
>>>>>>
>>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>>>
>>>>>> what does one of these messages look like if you write it out with the
>>>>>> RSYSLOG_DEBUG template?
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>>>>
>>>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>>>>>
>>>>>> From: Michael Maymann <michael [at] maymann>
>>>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>>>>>>
>>>>>>> Please... Anyone?
>>>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>
>>>>>>>> got it started... but still ??? dir+logfiles are showing up...
>>>>>>>> This is now my rsyslog.conf:
>>>>>>>> #SET PRIVILEGES
>>>>>>>> $PreserveFQDN on
>>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>>> $PrivDropToUser <USER>
>>>>>>>> $DirCreateMode 0750
>>>>>>>> $FileCreateMode 0640
>>>>>>>> $UMASK 0027
>>>>>>>>
>>>>>>>> #LOAD MODULES
>>>>>>>> $ModLoad imudp
>>>>>>>> $UDPServerRun 514
>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>> $ModLoad imtcp
>>>>>>>> $InputTCPServerRun 514
>>>>>>>>
>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>> $template
>>>>>>>> DYNmessages,"PATH_TO/%******FROMHOST%/%FROMHOST%_%$YEAR%.%******
>>>>>>>> $MONTH%_messages"
>>>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/****
>>>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_*****
>>>>>>>> *secure"
>>>>>>>> $template
>>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$**
>>>>>>>> MONTH%**
>>>>>>>> _**maillog"
>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*****
>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> cron"
>>>>>>>> $template
>>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$**
>>>>>>>> MONTH%**
>>>>>>>> _**spooler"
>>>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%*****
>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>> boot.log"
>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%****
>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_******
>>>>>>>> traps"
>>>>>>>>
>>>>>>>> $template
>>>>>>>> DYNIPmessages,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>>> $template
>>>>>>>> DYNIPsecure,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>>> $template
>>>>>>>> DYNIPmaillog,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>>> $template
>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%**
>>>>>>>> $****
>>>>>>>> MONTH%_cron"
>>>>>>>> $template
>>>>>>>> DYNIPspooler,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>>> $template
>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%**
>>>>>>>> $****
>>>>>>>> MONTH%_boot.log"
>>>>>>>> $template
>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.**
>>>>>>>> %$****
>>>>>>>>
>>>>>>>> MONTH%_traps"
>>>>>>>>
>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>>>>>>>> ?DYNsecure
>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>>>>>> ?DYNmaillog
>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
>>>>>>>> ?DYNcron
>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>>>>>> ?DYNspooler
>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
>>>>>>>> ?DYNboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>> 'WARNING'
>>>>>>>> and $fromhost != '???' then ?DYNtraps
>>>>>>>>
>>>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>>>>>>> ?DYNIPsecure
>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>>>>>> ?DYNIPmaillog
>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
>>>>>>>> ?DYNIPcron
>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>>>>>> ?DYNIPspooler
>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>>>>>> ?DYNIPboot
>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>> 'WARNING'
>>>>>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>>>>>
>>>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but all
>>>>>>>> creates
>>>>>>>> ??? dir+files...
>>>>>>>> What variable should I use to handle this properly ?
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks in advance :-) !
>>>>>>>> ~maymann
>>>>>>>>
>>>>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>>> David: thanks for your reply...
>>>>>>>>> Here is my new rsyslog.conf:
>>>>>>>>> #SET PRIVILEGES
>>>>>>>>> $PreserveFQDN on
>>>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>>>> $PrivDropToUser <USER>
>>>>>>>>> $DirCreateMode 0750
>>>>>>>>> $FileCreateMode 0640
>>>>>>>>> $UMASK 0027
>>>>>>>>>
>>>>>>>>> #LOAD MODULES
>>>>>>>>> $ModLoad imudp
>>>>>>>>> $UDPServerRun 514
>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>> $ModLoad imtcp
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>
>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>> $template
>>>>>>>>> DYNmessages,"PATH_TO/%******FROMHOST%/%FROMHOST%_%$YEAR%.%******
>>>>>>>>> $MONTH%_messages"
>>>>>>>>> $template
>>>>>>>>> DYNsecure,"PATH_TO/%FROMHOST%/******%FROMHOST%_%$YEAR%.%$**
>>>>>>>>> MONTH%_**
>>>>>>>>> **secure"
>>>>>>>>>
>>>>>>>>> $template
>>>>>>>>> DYNmaillog,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$**
>>>>>>>>> MONTH%**_**
>>>>>>>>> maillog"
>>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%*****
>>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>> cron"
>>>>>>>>> $template
>>>>>>>>> DYNspooler,"PATH_TO/%FROMHOST%******/%FROMHOST%_%$YEAR%.%$**
>>>>>>>>> MONTH%**_**
>>>>>>>>> spooler"
>>>>>>>>> $template
>>>>>>>>> DYNboot,"PATH_TO/%FROMHOST%/%******FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>> ****
>>>>>>>>> boot.log"
>>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%****
>>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>>>>>> *traps"
>>>>>>>>>
>>>>>>>>> $template
>>>>>>>>> DYNIPmessages,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>>>> $template
>>>>>>>>> DYNIPsecure,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>>>> $template
>>>>>>>>> DYNIPmaillog,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>>>> $template
>>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%**
>>>>>>>>> $****
>>>>>>>>> MONTH%_cron"
>>>>>>>>> $template
>>>>>>>>> DYNIPspooler,"PATH_TO/%******FROMHOST-IP%/%FROMHOST-IP%_%$******
>>>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>>>> $template
>>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.%**
>>>>>>>>> $****
>>>>>>>>> MONTH%_boot.log"
>>>>>>>>> $template
>>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-******IP%/%FROMHOST-IP%_%$YEAR%.**
>>>>>>>>> %$****
>>>>>>>>>
>>>>>>>>> MONTH%_traps"
>>>>>>>>>
>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then ?DYNmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???' then
>>>>>>>>> ?DYNsecure
>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>>>>>> ?DYNmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
>>>>>>>>> ?DYNcron
>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>>>>>> ?DYNspooler
>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???' then
>>>>>>>>> ?DYNboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>> 'WARNING'
>>>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>>>>>
>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPsecure
>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPcron
>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPspooler
>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???' then
>>>>>>>>> ?DYNIPboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>> 'WARNING'
>>>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>>>>>
>>>>>>>>> but it fails...:
>>>>>>>>> # service rsyslog start
>>>>>>>>> Starting system logger: rsyslogd: run failed with error -2207 (see
>>>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that
>>>>>>>>> number
>>>>>>>>> means)
>>>>>>>>> [ OK ]
>>>>>>>>>
>>>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format correct
>>>>>>>>> or
>>>>>>>>> how
>>>>>>>>> is this done...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks in advance :-) !
>>>>>>>>> ~maymann
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>>>
>>>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I want to log information about hosts that are not logging with
>>>>>>>>>>> correct
>>>>>>>>>>> HOSTNAME.
>>>>>>>>>>> In my current setup, I get a dir "???" where these host(s) are
>>>>>>>>>>> logging
>>>>>>>>>>> to...
>>>>>>>>>>>
>>>>>>>>>>> I would like to change this to the hosts IP instead, something
>>>>>>>>>>> like:
>>>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a value
>>>>>>>>>>> to
>>>>>>>>>>>
>>>>>>>>>> a
>>>>>>>>>> property.
>>>>>>>>>>
>>>>>>>>>> what you can do is to setup a different template and then if
>>>>>>>>>> %fromhost%
>>>>>>>>>> is your special pattern you can log with this different template.
>>>>>>>>>>
>>>>>>>>>> David Lang
>>>>>>>>>> ______________________________********_________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> http://lists.adiscon.net/********mailman/listinfo/rsyslog<http://lists.adiscon.net/******mailman/listinfo/rsyslog>
>>>>>>>>>> <http**://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>>>>>>> >
>>>>>>>>>> <http:**//lists.adiscon.net/****mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/**listinfo/rsyslog>
>>>>>>>>>> <htt**p://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <http:**//lists.adiscon.net/****mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/**listinfo/rsyslog>
>>>>>>>>>> <htt**p://lists.adiscon.net/mailman/****listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>>>>>> >
>>>>>>>>>> <htt**p://lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> http://www.rsyslog.com/********professional-services/<http://www.rsyslog.com/******professional-services/>
>>>>>>>>>>> <http://**www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>>>>>>> >
>>>>>>>>>>>
>>>>>>>>>> <http://**www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <http://**www.rsyslog.com/****professional-**services/<http://www.rsyslog.com/**professional-**services/>
>>>>>>>>>> <http:**//www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>>>>>>> >
>>>>>>>>>> <http:**//www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>>> >
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> ______________________________******_________________
>>>>>>>>>
>>>>>>>>
>>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>>> >
>>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>>> >
>>>>>>>
>>>>>>>>
>>>>>>>> http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>>> >
>>>>>>> <http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>>>> <http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>>> >
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ______________________________******_________________
>>>>>>>
>>>>>>> rsyslog mailing list
>>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>>> >
>>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>>> >
>>>>>>
>>>>>>>
>>>>>>> http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>>> >
>>>>>> <http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>>> <http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>>> >
>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ______________________________******_________________
>>>>>>
>>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.adiscon.net/****mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> >
>>>>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/**listinfo/rsyslog>
>>>>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> >
>>>>>
>>>>>>
>>>>>> http://www.rsyslog.com/******professional-services/<http://www.rsyslog.com/****professional-services/>
>>>>> <http://**www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>> >
>>>>> <http://**www.rsyslog.com/**professional-**services/<http://www.rsyslog.com/professional-**services/>
>>>>> <http:**//www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>>> >
>>>>>
>>>>>>
>>>>>>
>>>>> ______________________________****_________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> >
>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>> >
>>>>
>>>> ______________________________****_________________
>>>>
>>> rsyslog mailing list
>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> >
>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>> >
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 6, 2012, 4:54 AM

Post #21 of 25 (312 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Please note that HOSTNAME stems back to the message and as such is a
different property than FROMHOST. It is definitely not the case that when
FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your
current environment.

rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Saturday, February 04, 2012 9:10 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Hi,
>
> SOLVED...
>
> got it working...:-) !
>
> I enabled debugging (David: thanks for the hint) and this was one of
> the
> entries:
> ---
> Debug line with all properties:
> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-
> ',
> MSGID: '-',
> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> 2(VID
> unknown)(769216)'
> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device
> port
> 2(VID unknown)(769216)'
> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
> mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
> ---
> The <IP> from the last line was ofcause the same as in the the
> logfiles...
> I confuse this to be a client of a rsyslog-client twice... :-o !
>
> I could hereafter easily edit my /etc/rsyslog.conf respectively:
> ---
> #SET PRIVILEGES
> $PreserveFQDN on
> $PrivDropToGroup <GROUP>
> $PrivDropToUser <USER>
> $DirCreateMode 0750
> $FileCreateMode 0640
> $UMASK 0027
>
> #LOAD MODULES
> $ModLoad imudp
> $UDPServerRun 514
> $UDPServerAddress 127.0.0.1
> $ModLoad imtcp
> $InputTCPServerRun 514
>
> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
> enable...)
> #*.info;mail.none;authpriv.none;cron.none
> /var/log/messages-debug;RSYSLOG_DebugFormat
>
> #SET DESTINATION FOR LOGS
> $template
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>
> $template
> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> s"
> $template
> DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> $template
> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> $template
> DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> $template
> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> $template
> DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> $template
> DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
>
> #SET LOGGING CONDITIONS
> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> ?DYNsecure
> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> ?DYNmaillog
> if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> ?DYNspooler
> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> ?DYNboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> and $fromhost != '???' then ?DYNtraps
>
> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> ?DYNIPsecure
> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> ?DYNIPmaillog
> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> ?DYNIPcron
> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> ?DYNIPspooler
> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> ?DYNIPboot
> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> and $fromhost == '???' then ?DYNIPtraps
> ---
>
> David+Rainer: thanks for your help... much appreciated...:-) !
>
> Br.
> ~maymann
>
> 2012/2/4 <david [at] lang>
>
> > I was actually meaning for you to do this on the server where you are
> > seeing the ??? show up.
> >
> > but this does show that the sending machine thinks it's doing
> everythig
> > correcty (assuming the <HOSTNAME> you put in the message below is
> actually
> > correct)
> >
> > what I would want to see from the server log is one of the messages
> with
> > the ??? in it that you are trying to fix.
> >
> >
> > David Lang
> >
> > On Fri, 3 Feb 2012, Michael Maymann wrote:
> >
> > Hi,
> >>
> >> David: thanks for you reply...:-) !
> >>
> >> This is not a known client causing the "???" entries - I don't know
> the
> >> ip(s)/hostname(s), and this is why i would like to log IP instead of
> >> hostname - as my guess is it is a network device without DNS
> entry...:-( !
> >>
> >> Can I troubleshoot on the server somehow similar... or was that the
> >> intention all along...:-o !
> >>
> >> Here is the client-debug output anyways...:
> >> # cat messages-debug
> >> Debug line with all properties:
> >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >> PRI: 6,
> >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> >> '-', MSGID: '-',
> >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>
> >> Debug line with all properties:
> >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >> PRI: 46,
> >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> 'rsyslogd',
> >> PROCID: '-', MSGID: '-',
> >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> >> x-info="
> >> http://www.rsyslog.com"] (re)start'
> >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >> x-info="http://www.rsyslog.com**"] (re)start'
> >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >> x-info="http://www.rsyslog.com**"] (re)start'
> >>
> >> Debug line with all properties:
> >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >> PRI: 13,
> >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-
> ',
> >> MSGID: '-',
> >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> >> msg: ' hej'
> >> escaped msg: ' hej'
> >> rawmsg: '<13>Feb 3 11:14:30 root: hej'
> >>
> >>
> >> Thanks in advance :-) !
> >> ~maymann
> >>
> >>
> >> 2012/2/3 <david [at] lang>
> >>
> >> oops, that should have been RSYSLOG_DebugFormat template.
> >>>
> >>> David Lang
> >>>
> >>> On Thu, 2 Feb 2012, david [at] lang wrote:
> >>>
> >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> >>>
> >>>> From: david [at] lang
> >>>>
> >>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >>>> To: rsyslog-users <rsyslog [at] lists>
> >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>
> >>>> what does one of these messages look like if you write it out with
> the
> >>>> RSYSLOG_DEBUG template?
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>>>
> >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
> >>>>
> >>>>> From: Michael Maymann <michael [at] maymann>
> >>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >>>>> To: rsyslog-users <rsyslog [at] lists>
> >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>>
> >>>>> Please... Anyone?
> >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
> wrote:
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>>>
> >>>>>> got it started... but still ??? dir+logfiles are showing up...
> >>>>>> This is now my rsyslog.conf:
> >>>>>> #SET PRIVILEGES
> >>>>>> $PreserveFQDN on
> >>>>>> $PrivDropToGroup <GROUP>
> >>>>>> $PrivDropToUser <USER>
> >>>>>> $DirCreateMode 0750
> >>>>>> $FileCreateMode 0640
> >>>>>> $UMASK 0027
> >>>>>>
> >>>>>> #LOAD MODULES
> >>>>>> $ModLoad imudp
> >>>>>> $UDPServerRun 514
> >>>>>> $UDPServerAddress 127.0.0.1
> >>>>>> $ModLoad imtcp
> >>>>>> $InputTCPServerRun 514
> >>>>>>
> >>>>>> #SET DESTINATION FOR LOGS
> >>>>>> $template
> >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>> $MONTH%_messages"
> >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> >>>>>> *secure"
> >>>>>> $template
> >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>> _**maillog"
> >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>> cron"
> >>>>>> $template
> >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>> _**spooler"
> >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>> boot.log"
> >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>> traps"
> >>>>>>
> >>>>>> $template
> >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>> YEAR%.%$MONTH%_messages"
> >>>>>> $template
> >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>> YEAR%.%$MONTH%_secure"
> >>>>>> $template
> >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>> $template
> >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>> MONTH%_cron"
> >>>>>> $template
> >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>> $template
> >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>> MONTH%_boot.log"
> >>>>>> $template
> >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>> MONTH%_traps"
> >>>>>>
> >>>>>> #SET LOGGING CONDITIONS
> >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> ?DYNmessages
> >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> then
> >>>>>> ?DYNsecure
> >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> >>>>>> ?DYNmaillog
> >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> >>>>>> ?DYNspooler
> >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> >>>>>> ?DYNboot
> >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>> 'WARNING'
> >>>>>> and $fromhost != '???' then ?DYNtraps
> >>>>>>
> >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> ?DYNIPmessages
> >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> then
> >>>>>> ?DYNIPsecure
> >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> >>>>>> ?DYNIPmaillog
> >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> >>>>>> ?DYNIPcron
> >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> >>>>>> ?DYNIPspooler
> >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> >>>>>> ?DYNIPboot
> >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>> 'WARNING'
> >>>>>> and $fromhost == '???' then ?DYNIPtraps
> >>>>>>
> >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> all
> >>>>>> creates
> >>>>>> ??? dir+files...
> >>>>>> What variable should I use to handle this properly ?
> >>>>>>
> >>>>>>
> >>>>>> Thanks in advance :-) !
> >>>>>> ~maymann
> >>>>>>
> >>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>>>
> >>>>>>> David: thanks for your reply...
> >>>>>>> Here is my new rsyslog.conf:
> >>>>>>> #SET PRIVILEGES
> >>>>>>> $PreserveFQDN on
> >>>>>>> $PrivDropToGroup <GROUP>
> >>>>>>> $PrivDropToUser <USER>
> >>>>>>> $DirCreateMode 0750
> >>>>>>> $FileCreateMode 0640
> >>>>>>> $UMASK 0027
> >>>>>>>
> >>>>>>> #LOAD MODULES
> >>>>>>> $ModLoad imudp
> >>>>>>> $UDPServerRun 514
> >>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>> $ModLoad imtcp
> >>>>>>> $InputTCPServerRun 514
> >>>>>>>
> >>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>> $template
> >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>> $MONTH%_messages"
> >>>>>>> $template
> >>>>>>>
> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> **secure"
> >>>>>>>
> >>>>>>> $template
> >>>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>> maillog"
> >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> cron"
> >>>>>>> $template
> >>>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>> spooler"
> >>>>>>> $template
> >>>>>>>
> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>>> boot.log"
> >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> >>>>>>> *traps"
> >>>>>>>
> >>>>>>> $template
> >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_messages"
> >>>>>>> $template
> >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_secure"
> >>>>>>> $template
> >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>>> $template
> >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_cron"
> >>>>>>> $template
> >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>>> $template
> >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_boot.log"
> >>>>>>> $template
> >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_traps"
> >>>>>>>
> >>>>>>> #SET LOGGING CONDITIONS
> >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> ?DYNmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
> then
> >>>>>>> ?DYNsecure
> >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
> >>>>>>> ?DYNmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> >>>>>>> ?DYNcron
> >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> >>>>>>> ?DYNspooler
> >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> then
> >>>>>>> ?DYNboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> >>>>>>>
> >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> ?DYNIPmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
> then
> >>>>>>> ?DYNIPsecure
> >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> >>>>>>> ?DYNIPmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> >>>>>>> ?DYNIPcron
> >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> >>>>>>> ?DYNIPspooler
> >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> then
> >>>>>>> ?DYNIPboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> >>>>>>>
> >>>>>>> but it fails...:
> >>>>>>> # service rsyslog start
> >>>>>>> Starting system logger: rsyslogd: run failed with error -2207
> (see
> >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
> that
> >>>>>>> number
> >>>>>>> means)
> >>>>>>> [ OK
> ]
> >>>>>>>
> >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> correct or
> >>>>>>> how
> >>>>>>> is this done...
> >>>>>>>
> >>>>>>>
> >>>>>>> Thanks in advance :-) !
> >>>>>>> ~maymann
> >>>>>>>
> >>>>>>>
> >>>>>>> 2012/2/1 <david [at] lang>
> >>>>>>>
> >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> I want to log information about hosts that are not logging
> with
> >>>>>>>>> correct
> >>>>>>>>> HOSTNAME.
> >>>>>>>>> In my current setup, I get a dir "???" where these host(s)
> are
> >>>>>>>>> logging
> >>>>>>>>> to...
> >>>>>>>>>
> >>>>>>>>> I would like to change this to the hosts IP instead,
> something
> >>>>>>>>> like:
> >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a
> value to
> >>>>>>>> a
> >>>>>>>> property.
> >>>>>>>>
> >>>>>>>> what you can do is to setup a different template and then if
> >>>>>>>> %fromhost%
> >>>>>>>> is your special pattern you can log with this different
> template.
> >>>>>>>>
> >>>>>>>> David Lang
> >>>>>>>> ______________________________******_________________
> >>>>>>>> rsyslog mailing list
> >>>>>>>>
> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> iscon.net/****mailman/listinfo/rsyslog>
> >>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/**mailman/listinfo/rsyslog>
> >>>>>>>> >
> >>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/mailman/**listinfo/rsyslog>
> >>>>>>>>
> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>>> >
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> http://www.rsyslog.com/******professional-
> services/<http://www.rsyslog.com/****professional-services/>
> >>>>>>>> <http://**www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>>>>> >
> >>>>>>>> <http://**www.rsyslog.com/**professional-
> **services/<http://www.rsyslog.com/professional-**services/>
> >>>>>>>> <http:**//www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>> >
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>> ______________________________****_________________
> >>>>>>
> >>>>> rsyslog mailing list
> >>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>> >
> >>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>> >
> >>>>>
> >>>>> ______________________________****_________________
> >>>>>
> >>>> rsyslog mailing list
> >>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>> >
> >>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>> >
> >>>>
> >>>> ______________________________****_________________
> >>>>
> >>> rsyslog mailing list
> >>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>> >
> >>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>> >
> >>>
> >>> ______________________________**_________________
> >> rsyslog mailing list
> >>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>
> >> ______________________________**_________________
> > rsyslog mailing list
> >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> > http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 6, 2012, 5:03 AM

Post #22 of 25 (312 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of david [at] lang
> Sent: Saturday, February 04, 2012 9:27 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> If Rainer creates the instramented version it would still be good to
> see
> what's going on. I would say that for fromhost-ip to be '???' is always
> a
> bug, and if a failed DNS lookup makes the fromhost be '???' instead of
> the
> IP address, I would also consider that a bug.

Yup, I agree here. It's most probably a bug, at least if no message
indicating something malicious goes along with the problem. Rsyslog checks if
it can trust the IP and prefers not to write it if there is proof something
malicious goes on - the ??? then indicate we do not know the actual IP and is
probably the best to be done in that case. See [1], especially the comments,
for details. I have audited the code and do not see anything obviously wrong.
I noticed that there is already a lot of good debug instrumentation present,
so I just added one additional output, which makes it somewhat easier to scan
for failures inside the log file. It also provides the ultimate proof of why
the function indicates failure.

@Michael: You can obtain the new version via the git master branch (let me
know if you have problems obtaining it). Please try it out. We need to see at
least one occurrence of ??? in order to track down what is going on.

> It would be good to track down what's actually happening here.
Indeed, especially as this is the prime reason for making separate devel and
stable branches available. ;-)

Rainer
[1]
http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932
8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147
>
> David Lang
>
> On Sat, 4 Feb 2012, Michael
> Maymann wrote:
>
> > Hi,
> >
> > SOLVED...
> >
> > got it working...:-) !
> >
> > I enabled debugging (David: thanks for the hint) and this was one of
> the
> > entries:
> > ---
> > Debug line with all properties:
> > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID:
> '-',
> > MSGID: '-',
> > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> 2(VID
> > unknown)(769216)'
> > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device
> port
> > 2(VID unknown)(769216)'
> > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
> > mismatch on port C2(VID 1)with peer device port 2(VID
> unknown)(769216)'
> > ---
> > The <IP> from the last line was ofcause the same as in the the
> logfiles...
> > I confuse this to be a client of a rsyslog-client twice... :-o !
> >
> > I could hereafter easily edit my /etc/rsyslog.conf respectively:
> > ---
> > #SET PRIVILEGES
> > $PreserveFQDN on
> > $PrivDropToGroup <GROUP>
> > $PrivDropToUser <USER>
> > $DirCreateMode 0750
> > $FileCreateMode 0640
> > $UMASK 0027
> >
> > #LOAD MODULES
> > $ModLoad imudp
> > $UDPServerRun 514
> > $UDPServerAddress 127.0.0.1
> > $ModLoad imtcp
> > $InputTCPServerRun 514
> >
> > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in
> to
> > enable...)
> > #*.info;mail.none;authpriv.none;cron.none
> > /var/log/messages-debug;RSYSLOG_DebugFormat
> >
> > #SET DESTINATION FOR LOGS
> > $template
> >
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> > $template
> > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> > $template
> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> >
> > $template
> >
> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> s"
> > $template
> > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> > $template
> >
> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> > $template
> DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> > $template
> >
> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
> >
> > #SET LOGGING CONDITIONS
> > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> ?DYNsecure
> > if $syslogfacility-text == 'mail' and $fromhost != '???' then
> ?DYNmaillog
> > if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> > if $syslogseverity-text == 'crit' and $fromhost != '???' then
> ?DYNspooler
> > if $syslogfacility-text == 'local7' and $fromhost != '???' then
> ?DYNboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > and $fromhost != '???' then ?DYNtraps
> >
> > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> > ?DYNIPsecure
> > if $syslogfacility-text == 'mail' and $fromhost == '???' then
> ?DYNIPmaillog
> > if $syslogfacility-text == 'cron' and $fromhost == '???' then
> ?DYNIPcron
> > if $syslogseverity-text == 'crit' and $fromhost == '???' then
> ?DYNIPspooler
> > if $syslogfacility-text == 'local7' and $fromhost == '???' then
> ?DYNIPboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> 'WARNING'
> > and $fromhost == '???' then ?DYNIPtraps
> > ---
> >
> > David+Rainer: thanks for your help... much appreciated...:-) !
> >
> > Br.
> > ~maymann
> >
> > 2012/2/4 <david [at] lang>
> >
> >> I was actually meaning for you to do this on the server where you
> are
> >> seeing the ??? show up.
> >>
> >> but this does show that the sending machine thinks it's doing
> everythig
> >> correcty (assuming the <HOSTNAME> you put in the message below is
> actually
> >> correct)
> >>
> >> what I would want to see from the server log is one of the messages
> with
> >> the ??? in it that you are trying to fix.
> >>
> >>
> >> David Lang
> >>
> >> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>
> >> Hi,
> >>>
> >>> David: thanks for you reply...:-) !
> >>>
> >>> This is not a known client causing the "???" entries - I don't know
> the
> >>> ip(s)/hostname(s), and this is why i would like to log IP instead
> of
> >>> hostname - as my guess is it is a network device without DNS
> entry...:-( !
> >>>
> >>> Can I troubleshoot on the server somehow similar... or was that the
> >>> intention all along...:-o !
> >>>
> >>> Here is the client-debug output anyways...:
> >>> # cat messages-debug
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 6,
> >>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> >>> '-', MSGID: '-',
> >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 46,
> >>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> 'rsyslogd',
> >>> PROCID: '-', MSGID: '-',
> >>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> >>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> >>> x-info="
> >>> http://www.rsyslog.com"] (re)start'
> >>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >>> x-info="http://www.rsyslog.com**"] (re)start'
> >>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> >>> x-info="http://www.rsyslog.com**"] (re)start'
> >>>
> >>> Debug line with all properties:
> >>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> '<HOSTNAME>',
> >>> PRI: 13,
> >>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
> '-',
> >>> MSGID: '-',
> >>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> >>> msg: ' hej'
> >>> escaped msg: ' hej'
> >>> rawmsg: '<13>Feb 3 11:14:30 root: hej'
> >>>
> >>>
> >>> Thanks in advance :-) !
> >>> ~maymann
> >>>
> >>>
> >>> 2012/2/3 <david [at] lang>
> >>>
> >>> oops, that should have been RSYSLOG_DebugFormat template.
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Thu, 2 Feb 2012, david [at] lang wrote:
> >>>>
> >>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> >>>>
> >>>>> From: david [at] lang
> >>>>>
> >>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >>>>> To: rsyslog-users <rsyslog [at] lists>
> >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>>
> >>>>> what does one of these messages look like if you write it out
> with the
> >>>>> RSYSLOG_DEBUG template?
> >>>>>
> >>>>> David Lang
> >>>>>
> >>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> >>>>>
> >>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
> >>>>>
> >>>>>> From: Michael Maymann <michael [at] maymann>
> >>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> >>>>>> To: rsyslog-users <rsyslog [at] lists>
> >>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> >>>>>>
> >>>>>> Please... Anyone?
> >>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
> wrote:
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>>>
> >>>>>>> got it started... but still ??? dir+logfiles are showing up...
> >>>>>>> This is now my rsyslog.conf:
> >>>>>>> #SET PRIVILEGES
> >>>>>>> $PreserveFQDN on
> >>>>>>> $PrivDropToGroup <GROUP>
> >>>>>>> $PrivDropToUser <USER>
> >>>>>>> $DirCreateMode 0750
> >>>>>>> $FileCreateMode 0640
> >>>>>>> $UMASK 0027
> >>>>>>>
> >>>>>>> #LOAD MODULES
> >>>>>>> $ModLoad imudp
> >>>>>>> $UDPServerRun 514
> >>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>> $ModLoad imtcp
> >>>>>>> $InputTCPServerRun 514
> >>>>>>>
> >>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>> $template
> >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>> $MONTH%_messages"
> >>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> >>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> >>>>>>> *secure"
> >>>>>>> $template
> >>>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>>> _**maillog"
> >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> cron"
> >>>>>>> $template
> >>>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> >>>>>>> _**spooler"
> >>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>> boot.log"
> >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>>> traps"
> >>>>>>>
> >>>>>>> $template
> >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_messages"
> >>>>>>> $template
> >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_secure"
> >>>>>>> $template
> >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>>> $template
> >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_cron"
> >>>>>>> $template
> >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>>> $template
> >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_boot.log"
> >>>>>>> $template
> >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>> MONTH%_traps"
> >>>>>>>
> >>>>>>> #SET LOGGING CONDITIONS
> >>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> ?DYNmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> then
> >>>>>>> ?DYNsecure
> >>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> >>>>>>> ?DYNmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> >>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> >>>>>>> ?DYNspooler
> >>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> >>>>>>> ?DYNboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and $fromhost != '???' then ?DYNtraps
> >>>>>>>
> >>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> ?DYNIPmessages
> >>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> then
> >>>>>>> ?DYNIPsecure
> >>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> >>>>>>> ?DYNIPmaillog
> >>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> >>>>>>> ?DYNIPcron
> >>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> >>>>>>> ?DYNIPspooler
> >>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> >>>>>>> ?DYNIPboot
> >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> >>>>>>> 'WARNING'
> >>>>>>> and $fromhost == '???' then ?DYNIPtraps
> >>>>>>>
> >>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> all
> >>>>>>> creates
> >>>>>>> ??? dir+files...
> >>>>>>> What variable should I use to handle this properly ?
> >>>>>>>
> >>>>>>>
> >>>>>>> Thanks in advance :-) !
> >>>>>>> ~maymann
> >>>>>>>
> >>>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>>>
> >>>>>>>> David: thanks for your reply...
> >>>>>>>> Here is my new rsyslog.conf:
> >>>>>>>> #SET PRIVILEGES
> >>>>>>>> $PreserveFQDN on
> >>>>>>>> $PrivDropToGroup <GROUP>
> >>>>>>>> $PrivDropToUser <USER>
> >>>>>>>> $DirCreateMode 0750
> >>>>>>>> $FileCreateMode 0640
> >>>>>>>> $UMASK 0027
> >>>>>>>>
> >>>>>>>> #LOAD MODULES
> >>>>>>>> $ModLoad imudp
> >>>>>>>> $UDPServerRun 514
> >>>>>>>> $UDPServerAddress 127.0.0.1
> >>>>>>>> $ModLoad imtcp
> >>>>>>>> $InputTCPServerRun 514
> >>>>>>>>
> >>>>>>>> #SET DESTINATION FOR LOGS
> >>>>>>>> $template
> >>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> >>>>>>>> $MONTH%_messages"
> >>>>>>>> $template
> >>>>>>>>
> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>>> **secure"
> >>>>>>>>
> >>>>>>>> $template
> >>>>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>>> maillog"
> >>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> >>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> >>>>>>>> cron"
> >>>>>>>> $template
> >>>>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> >>>>>>>> spooler"
> >>>>>>>> $template
> >>>>>>>>
> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> >>>>>>>> boot.log"
> >>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> >>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> >>>>>>>> *traps"
> >>>>>>>>
> >>>>>>>> $template
> >>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_messages"
> >>>>>>>> $template
> >>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_secure"
> >>>>>>>> $template
> >>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_maillog"
> >>>>>>>> $template
> >>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_cron"
> >>>>>>>> $template
> >>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> >>>>>>>> YEAR%.%$MONTH%_spooler"
> >>>>>>>> $template
> >>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_boot.log"
> >>>>>>>> $template
> >>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> IP%_%$YEAR%.%$****
> >>>>>>>> MONTH%_traps"
> >>>>>>>>
> >>>>>>>> #SET LOGGING CONDITIONS
> >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> ?DYNmessages
> >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
> then
> >>>>>>>> ?DYNsecure
> >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNmaillog
> >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNcron
> >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> >>>>>>>> ?DYNspooler
> >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> then
> >>>>>>>> ?DYNboot
> >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> >>>>>>>> 'WARNING'
> >>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> >>>>>>>>
> >>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> ?DYNIPmessages
> >>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
> then
> >>>>>>>> ?DYNIPsecure
> >>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPmaillog
> >>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPcron
> >>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> >>>>>>>> ?DYNIPspooler
> >>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> then
> >>>>>>>> ?DYNIPboot
> >>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> >>>>>>>> 'WARNING'
> >>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> >>>>>>>>
> >>>>>>>> but it fails...:
> >>>>>>>> # service rsyslog start
> >>>>>>>> Starting system logger: rsyslogd: run failed with error -2207
> (see
> >>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
> that
> >>>>>>>> number
> >>>>>>>> means)
> >>>>>>>> [ OK
> ]
> >>>>>>>>
> >>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> correct or
> >>>>>>>> how
> >>>>>>>> is this done...
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thanks in advance :-) !
> >>>>>>>> ~maymann
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> 2012/2/1 <david [at] lang>
> >>>>>>>>
> >>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> I want to log information about hosts that are not logging
> with
> >>>>>>>>>> correct
> >>>>>>>>>> HOSTNAME.
> >>>>>>>>>> In my current setup, I get a dir "???" where these host(s)
> are
> >>>>>>>>>> logging
> >>>>>>>>>> to...
> >>>>>>>>>>
> >>>>>>>>>> I would like to change this to the hosts IP instead,
> something
> >>>>>>>>>> like:
> >>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a
> value to
> >>>>>>>>> a
> >>>>>>>>> property.
> >>>>>>>>>
> >>>>>>>>> what you can do is to setup a different template and then if
> >>>>>>>>> %fromhost%
> >>>>>>>>> is your special pattern you can log with this different
> template.
> >>>>>>>>>
> >>>>>>>>> David Lang
> >>>>>>>>> ______________________________******_________________
> >>>>>>>>> rsyslog mailing list
> >>>>>>>>>
> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> iscon.net/****mailman/listinfo/rsyslog>
> >>>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/**mailman/listinfo/rsyslog>
> >>>>>>>>>>
> >>>>>>>>>
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> discon.net/mailman/**listinfo/rsyslog>
> >>>>>>>>>
> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> http://www.rsyslog.com/******professional-
> services/<http://www.rsyslog.com/****professional-services/>
> >>>>>>>>> <http://**www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>>>>>>>
> >>>>>>>>> <http://**www.rsyslog.com/**professional-
> **services/<http://www.rsyslog.com/professional-**services/>
> >>>>>>>>> <http:**//www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> ______________________________****_________________
> >>>>>>>
> >>>>>> rsyslog mailing list
> >>>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>>
> >>>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>>>
> >>>>>>
> >>>>>> ______________________________****_________________
> >>>>>>
> >>>>> rsyslog mailing list
> >>>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>>
> >>>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>>
> >>>>>
> >>>>> ______________________________****_________________
> >>>>>
> >>>> rsyslog mailing list
> >>>>
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> con.net/**mailman/listinfo/rsyslog>
> >>>>
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> scon.net/mailman/listinfo/rsyslog>
> >>>>>
> >>>> http://www.rsyslog.com/****professional-
> services/<http://www.rsyslog.com/**professional-services/>
> >>>> <http://**www.rsyslog.com/professional-
> **services/<http://www.rsyslog.com/professional-services/>
> >>>>>
> >>>>
> >>>> ______________________________**_________________
> >>> rsyslog mailing list
> >>>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >>> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>>
> >>> ______________________________**_________________
> >> rsyslog mailing list
> >>
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> n.net/mailman/listinfo/rsyslog>
> >> http://www.rsyslog.com/**professional-
> services/<http://www.rsyslog.com/professional-services/>
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

michael at maymann

Feb 6, 2012, 5:14 AM

Post #23 of 25 (321 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Hi Rainer,

ok.

I have 3 different entries in my debug log:
---
FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port 2(VID
unknown)(769216)'
escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
2(VID unknown)(769216)'
inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828 lldp:
PVID mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'

FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-',
msg: ' Kernel logging (proc) stopped.'
escaped msg: ' Kernel logging (proc) stopped.'
inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.'

FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46,
syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-',
msg: ' signal 15'
escaped msg: ' signal 15'
inputname: imudp rawmsg: '<46>exiting on signal 15'
---

I have now setup a rule:
$template
DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"
if $fromhost == '???' and $fromhost-ip == '???' then ?DYNUNKNOWNmessages

I would like to still log the hosts where I know the IP...
Is is possible to say something like the following ?:
---
$template
DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
$template
DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"

if $fromhost == '???' and $fromhost-ip == '???' and $hostname ==
'192.168.*' then ?DYNIPmessages
if $fromhost == '???' and $fromhost-ip == '???' and $hostname !=
'192.168.*' then ?DYNUNKNOWNmessages
---

Thanks in advance :-) !
~maymann

2012/2/6 Rainer Gerhards <rgerhards [at] hq>

> Please note that HOSTNAME stems back to the message and as such is a
> different property than FROMHOST. It is definitely not the case that when
> FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence in your
> current environment.
>
> rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > bounces [at] lists] On Behalf Of Michael Maymann
> > Sent: Saturday, February 04, 2012 9:10 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
> >
> > Hi,
> >
> > SOLVED...
> >
> > got it working...:-) !
> >
> > I enabled debugging (David: thanks for the hint) and this was one of
> > the
> > entries:
> > ---
> > Debug line with all properties:
> > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-
> > ',
> > MSGID: '-',
> > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> > 2(VID
> > unknown)(769216)'
> > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device
> > port
> > 2(VID unknown)(769216)'
> > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
> > mismatch on port C2(VID 1)with peer device port 2(VID unknown)(769216)'
> > ---
> > The <IP> from the last line was ofcause the same as in the the
> > logfiles...
> > I confuse this to be a client of a rsyslog-client twice... :-o !
> >
> > I could hereafter easily edit my /etc/rsyslog.conf respectively:
> > ---
> > #SET PRIVILEGES
> > $PreserveFQDN on
> > $PrivDropToGroup <GROUP>
> > $PrivDropToUser <USER>
> > $DirCreateMode 0750
> > $FileCreateMode 0640
> > $UMASK 0027
> >
> > #LOAD MODULES
> > $ModLoad imudp
> > $UDPServerRun 514
> > $UDPServerAddress 127.0.0.1
> > $ModLoad imtcp
> > $InputTCPServerRun 514
> >
> > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in to
> > enable...)
> > #*.info;mail.none;authpriv.none;cron.none
> > /var/log/messages-debug;RSYSLOG_DebugFormat
> >
> > #SET DESTINATION FOR LOGS
> > $template
> > DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> > $template
> > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> > $template
> > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> >
> > $template
> > DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> > s"
> > $template
> > DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> > $template
> > DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> > $template
> > DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> > $template
> > DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> > $template
> > DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> > $template
> > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
> >
> > #SET LOGGING CONDITIONS
> > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> > ?DYNsecure
> > if $syslogfacility-text == 'mail' and $fromhost != '???' then
> > ?DYNmaillog
> > if $syslogfacility-text == 'cron' and $fromhost != '???' then ?DYNcron
> > if $syslogseverity-text == 'crit' and $fromhost != '???' then
> > ?DYNspooler
> > if $syslogfacility-text == 'local7' and $fromhost != '???' then
> > ?DYNboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > and $fromhost != '???' then ?DYNtraps
> >
> > if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
> > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> > ?DYNIPsecure
> > if $syslogfacility-text == 'mail' and $fromhost == '???' then
> > ?DYNIPmaillog
> > if $syslogfacility-text == 'cron' and $fromhost == '???' then
> > ?DYNIPcron
> > if $syslogseverity-text == 'crit' and $fromhost == '???' then
> > ?DYNIPspooler
> > if $syslogfacility-text == 'local7' and $fromhost == '???' then
> > ?DYNIPboot
> > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > 'WARNING'
> > and $fromhost == '???' then ?DYNIPtraps
> > ---
> >
> > David+Rainer: thanks for your help... much appreciated...:-) !
> >
> > Br.
> > ~maymann
> >
> > 2012/2/4 <david [at] lang>
> >
> > > I was actually meaning for you to do this on the server where you are
> > > seeing the ??? show up.
> > >
> > > but this does show that the sending machine thinks it's doing
> > everythig
> > > correcty (assuming the <HOSTNAME> you put in the message below is
> > actually
> > > correct)
> > >
> > > what I would want to see from the server log is one of the messages
> > with
> > > the ??? in it that you are trying to fix.
> > >
> > >
> > > David Lang
> > >
> > > On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >
> > > Hi,
> > >>
> > >> David: thanks for you reply...:-) !
> > >>
> > >> This is not a known client causing the "???" entries - I don't know
> > the
> > >> ip(s)/hostname(s), and this is why i would like to log IP instead of
> > >> hostname - as my guess is it is a network device without DNS
> > entry...:-( !
> > >>
> > >> Can I troubleshoot on the server somehow similar... or was that the
> > >> intention all along...:-o !
> > >>
> > >> Here is the client-debug output anyways...:
> > >> # cat messages-debug
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 6,
> > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> > PROCID:
> > >> '-', MSGID: '-',
> > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > >>
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 46,
> > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > 'rsyslogd',
> > >> PROCID: '-', MSGID: '-',
> > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > >> msg: ' [.origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
> > >> x-info="
> > >> http://www.rsyslog.com"] (re)start'
> > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > pid="13432"
> > >> x-info="http://www.rsyslog.com**"] (re)start'
> > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > pid="13432"
> > >> x-info="http://www.rsyslog.com**"] (re)start'
> > >>
> > >> Debug line with all properties:
> > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > '<HOSTNAME>',
> > >> PRI: 13,
> > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID: '-
> > ',
> > >> MSGID: '-',
> > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> > >> msg: ' hej'
> > >> escaped msg: ' hej'
> > >> rawmsg: '<13>Feb 3 11:14:30 root: hej'
> > >>
> > >>
> > >> Thanks in advance :-) !
> > >> ~maymann
> > >>
> > >>
> > >> 2012/2/3 <david [at] lang>
> > >>
> > >> oops, that should have been RSYSLOG_DebugFormat template.
> > >>>
> > >>> David Lang
> > >>>
> > >>> On Thu, 2 Feb 2012, david [at] lang wrote:
> > >>>
> > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > >>>
> > >>>> From: david [at] lang
> > >>>>
> > >>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >>>> To: rsyslog-users <rsyslog [at] lists>
> > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > %IP%
> > >>>>
> > >>>> what does one of these messages look like if you write it out with
> > the
> > >>>> RSYSLOG_DEBUG template?
> > >>>>
> > >>>> David Lang
> > >>>>
> > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > >>>>
> > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
> > >>>>
> > >>>>> From: Michael Maymann <michael [at] maymann>
> > >>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > >>>>> To: rsyslog-users <rsyslog [at] lists>
> > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> > %IP%
> > >>>>>
> > >>>>> Please... Anyone?
> > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
> > wrote:
> > >>>>>
> > >>>>> Hi,
> > >>>>>
> > >>>>>>
> > >>>>>> got it started... but still ??? dir+logfiles are showing up...
> > >>>>>> This is now my rsyslog.conf:
> > >>>>>> #SET PRIVILEGES
> > >>>>>> $PreserveFQDN on
> > >>>>>> $PrivDropToGroup <GROUP>
> > >>>>>> $PrivDropToUser <USER>
> > >>>>>> $DirCreateMode 0750
> > >>>>>> $FileCreateMode 0640
> > >>>>>> $UMASK 0027
> > >>>>>>
> > >>>>>> #LOAD MODULES
> > >>>>>> $ModLoad imudp
> > >>>>>> $UDPServerRun 514
> > >>>>>> $UDPServerAddress 127.0.0.1
> > >>>>>> $ModLoad imtcp
> > >>>>>> $InputTCPServerRun 514
> > >>>>>>
> > >>>>>> #SET DESTINATION FOR LOGS
> > >>>>>> $template
> > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > >>>>>> $MONTH%_messages"
> > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> > >>>>>> *secure"
> > >>>>>> $template
> > >>>>>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > >>>>>> _**maillog"
> > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>> cron"
> > >>>>>> $template
> > >>>>>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > >>>>>> _**spooler"
> > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>> boot.log"
> > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> > >>>>>> traps"
> > >>>>>>
> > >>>>>> $template
> > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_messages"
> > >>>>>> $template
> > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_secure"
> > >>>>>> $template
> > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_maillog"
> > >>>>>> $template
> > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_cron"
> > >>>>>> $template
> > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>> YEAR%.%$MONTH%_spooler"
> > >>>>>> $template
> > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_boot.log"
> > >>>>>> $template
> > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>> MONTH%_traps"
> > >>>>>>
> > >>>>>> #SET LOGGING CONDITIONS
> > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > ?DYNmessages
> > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> > then
> > >>>>>> ?DYNsecure
> > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
> > >>>>>> ?DYNmaillog
> > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
> > ?DYNcron
> > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
> > >>>>>> ?DYNspooler
> > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
> > >>>>>> ?DYNboot
> > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>> 'WARNING'
> > >>>>>> and $fromhost != '???' then ?DYNtraps
> > >>>>>>
> > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > ?DYNIPmessages
> > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> > then
> > >>>>>> ?DYNIPsecure
> > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
> > >>>>>> ?DYNIPmaillog
> > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
> > >>>>>> ?DYNIPcron
> > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
> > >>>>>> ?DYNIPspooler
> > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
> > >>>>>> ?DYNIPboot
> > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>> 'WARNING'
> > >>>>>> and $fromhost == '???' then ?DYNIPtraps
> > >>>>>>
> > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
> > all
> > >>>>>> creates
> > >>>>>> ??? dir+files...
> > >>>>>> What variable should I use to handle this properly ?
> > >>>>>>
> > >>>>>>
> > >>>>>> Thanks in advance :-) !
> > >>>>>> ~maymann
> > >>>>>>
> > >>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > >>>>>>
> > >>>>>> Hi,
> > >>>>>>
> > >>>>>>>
> > >>>>>>> David: thanks for your reply...
> > >>>>>>> Here is my new rsyslog.conf:
> > >>>>>>> #SET PRIVILEGES
> > >>>>>>> $PreserveFQDN on
> > >>>>>>> $PrivDropToGroup <GROUP>
> > >>>>>>> $PrivDropToUser <USER>
> > >>>>>>> $DirCreateMode 0750
> > >>>>>>> $FileCreateMode 0640
> > >>>>>>> $UMASK 0027
> > >>>>>>>
> > >>>>>>> #LOAD MODULES
> > >>>>>>> $ModLoad imudp
> > >>>>>>> $UDPServerRun 514
> > >>>>>>> $UDPServerAddress 127.0.0.1
> > >>>>>>> $ModLoad imtcp
> > >>>>>>> $InputTCPServerRun 514
> > >>>>>>>
> > >>>>>>> #SET DESTINATION FOR LOGS
> > >>>>>>> $template
> > >>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > >>>>>>> $MONTH%_messages"
> > >>>>>>> $template
> > >>>>>>>
> > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>> **secure"
> > >>>>>>>
> > >>>>>>> $template
> > >>>>>>>
> > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > >>>>>>> maillog"
> > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > >>>>>>> cron"
> > >>>>>>> $template
> > >>>>>>>
> > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > >>>>>>> spooler"
> > >>>>>>> $template
> > >>>>>>>
> > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> > >>>>>>> boot.log"
> > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> > >>>>>>> *traps"
> > >>>>>>>
> > >>>>>>> $template
> > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_messages"
> > >>>>>>> $template
> > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_secure"
> > >>>>>>> $template
> > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_maillog"
> > >>>>>>> $template
> > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_cron"
> > >>>>>>> $template
> > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > >>>>>>> YEAR%.%$MONTH%_spooler"
> > >>>>>>> $template
> > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_boot.log"
> > >>>>>>> $template
> > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > IP%_%$YEAR%.%$****
> > >>>>>>> MONTH%_traps"
> > >>>>>>>
> > >>>>>>> #SET LOGGING CONDITIONS
> > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > ?DYNmessages
> > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
> > then
> > >>>>>>> ?DYNsecure
> > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNmaillog
> > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNcron
> > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
> > >>>>>>> ?DYNspooler
> > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> > then
> > >>>>>>> ?DYNboot
> > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>>> 'WARNING'
> > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> > >>>>>>>
> > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > ?DYNIPmessages
> > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
> > then
> > >>>>>>> ?DYNIPsecure
> > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPmaillog
> > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPcron
> > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
> > >>>>>>> ?DYNIPspooler
> > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> > then
> > >>>>>>> ?DYNIPboot
> > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > >>>>>>> 'WARNING'
> > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > >>>>>>>
> > >>>>>>> but it fails...:
> > >>>>>>> # service rsyslog start
> > >>>>>>> Starting system logger: rsyslogd: run failed with error -2207
> > (see
> > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
> > that
> > >>>>>>> number
> > >>>>>>> means)
> > >>>>>>> [ OK
> > ]
> > >>>>>>>
> > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > correct or
> > >>>>>>> how
> > >>>>>>> is this done...
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> Thanks in advance :-) !
> > >>>>>>> ~maymann
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> 2012/2/1 <david [at] lang>
> > >>>>>>>
> > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>> Hi,
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>> I want to log information about hosts that are not logging
> > with
> > >>>>>>>>> correct
> > >>>>>>>>> HOSTNAME.
> > >>>>>>>>> In my current setup, I get a dir "???" where these host(s)
> > are
> > >>>>>>>>> logging
> > >>>>>>>>> to...
> > >>>>>>>>>
> > >>>>>>>>> I would like to change this to the hosts IP instead,
> > something
> > >>>>>>>>> like:
> > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a
> > value to
> > >>>>>>>> a
> > >>>>>>>> property.
> > >>>>>>>>
> > >>>>>>>> what you can do is to setup a different template and then if
> > >>>>>>>> %fromhost%
> > >>>>>>>> is your special pattern you can log with this different
> > template.
> > >>>>>>>>
> > >>>>>>>> David Lang
> > >>>>>>>> ______________________________******_________________
> > >>>>>>>> rsyslog mailing list
> > >>>>>>>>
> > http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> > iscon.net/****mailman/listinfo/rsyslog>
> > >>>>>>>>
> > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > discon.net/**mailman/listinfo/rsyslog>
> > >>>>>>>> >
> > >>>>>>>>
> > <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > discon.net/mailman/**listinfo/rsyslog>
> > >>>>>>>>
> > <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>>>>>> >
> > >>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> http://www.rsyslog.com/******professional-
> > services/<http://www.rsyslog.com/****professional-services/>
> > >>>>>>>> <http://**www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>>>>>> >
> > >>>>>>>> <http://**www.rsyslog.com/**professional-
> > **services/<http://www.rsyslog.com/professional-**services/>
> > >>>>>>>> <http:**//www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>>>>>>> >
> > >>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>> ______________________________****_________________
> > >>>>>>
> > >>>>> rsyslog mailing list
> > >>>>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>>> >
> > >>>>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>>>> >
> > >>>>>
> > >>>>> ______________________________****_________________
> > >>>>>
> > >>>> rsyslog mailing list
> > >>>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>>> >
> > >>>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>>> >
> > >>>>
> > >>>> ______________________________****_________________
> > >>>>
> > >>> rsyslog mailing list
> > >>>
> > http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > con.net/**mailman/listinfo/rsyslog>
> > >>>
> > <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > scon.net/mailman/listinfo/rsyslog>
> > >>> >
> > >>> http://www.rsyslog.com/****professional-
> > services/<http://www.rsyslog.com/**professional-services/>
> > >>> <http://**www.rsyslog.com/professional-
> > **services/<http://www.rsyslog.com/professional-services/>
> > >>> >
> > >>>
> > >>> ______________________________**_________________
> > >> rsyslog mailing list
> > >>
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > >> http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >>
> > >> ______________________________**_________________
> > > rsyslog mailing list
> > >
> > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > n.net/mailman/listinfo/rsyslog>
> > > http://www.rsyslog.com/**professional-
> > services/<http://www.rsyslog.com/professional-services/>
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

rgerhards at hq

Feb 6, 2012, 5:17 AM

Post #24 of 25 (336 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

Let's see where the problem stems back to, *then* we can look for a solution.

rainer

> -----Original Message-----
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of Michael Maymann
> Sent: Monday, February 06, 2012 2:14 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>
> Hi Rainer,
>
> ok.
>
> I have 3 different entries in my debug log:
> ---
> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID: '-
> ',
> MSGID: '-',
> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> 2(VID
> unknown)(769216)'
> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device
> port
> 2(VID unknown)(769216)'
> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 10.224.110.250 00828
> lldp:
> PVID mismatch on port C2(VID 1)with peer device port 2(VID
> unknown)(769216)'
>
> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '???', PRI: 6,
> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> '-', MSGID: '-',
> TIMESTAMP: 'Feb 6 14:11:49', STRUCTURED-DATA: '-',
> msg: ' Kernel logging (proc) stopped.'
> escaped msg: ' Kernel logging (proc) stopped.'
> inputname: imudp rawmsg: '<6>kernel: Kernel logging (proc) stopped.'
>
> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: 'exiting', PRI: 46,
> syslogtag 'on', programname: 'on', APP-NAME: 'on', PROCID: '-', MSGID:
> '-',
> TIMESTAMP: 'Feb 6 14:11:50', STRUCTURED-DATA: '-',
> msg: ' signal 15'
> escaped msg: ' signal 15'
> inputname: imudp rawmsg: '<46>exiting on signal 15'
> ---
>
> I have now setup a rule:
> $template
> DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"
> if $fromhost == '???' and $fromhost-ip == '???' then
> ?DYNUNKNOWNmessages
>
>
> I would like to still log the hosts where I know the IP...
> Is is possible to say something like the following ?:
> ---
> $template
> DYNIPmessages,"PATH_TO/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_messages"
> $template
> DYNUNKNOWNmessages,"PATH_TO/UNKNOWN/UNKNOWN_%$YEAR%.%$MONTH%_messages"
>
> if $fromhost == '???' and $fromhost-ip == '???' and $hostname ==
> '192.168.*' then ?DYNIPmessages
> if $fromhost == '???' and $fromhost-ip == '???' and $hostname !=
> '192.168.*' then ?DYNUNKNOWNmessages
> ---
>
> Thanks in advance :-) !
> ~maymann
>
>
> 2012/2/6 Rainer Gerhards <rgerhards [at] hq>
>
> > Please note that HOSTNAME stems back to the message and as such is a
> > different property than FROMHOST. It is definitely not the case that
> when
> > FROMHOST is ??? than HOSTNAME has the IP -- it's just a coincidence
> in your
> > current environment.
> >
> > rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces [at] lists [mailto:rsyslog-
> > > bounces [at] lists] On Behalf Of Michael Maymann
> > > Sent: Saturday, February 04, 2012 9:10 AM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
> %IP%
> > >
> > > Hi,
> > >
> > > SOLVED...
> > >
> > > got it working...:-) !
> > >
> > > I enabled debugging (David: thanks for the hint) and this was one
> of
> > > the
> > > entries:
> > > ---
> > > Debug line with all properties:
> > > FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
> > > syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID:
> '-
> > > ',
> > > MSGID: '-',
> > > TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
> > > msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
> > > 2(VID
> > > unknown)(769216)'
> > > escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer
> device
> > > port
> > > 2(VID unknown)(769216)'
> > > inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp:
> PVID
> > > mismatch on port C2(VID 1)with peer device port 2(VID
> unknown)(769216)'
> > > ---
> > > The <IP> from the last line was ofcause the same as in the the
> > > logfiles...
> > > I confuse this to be a client of a rsyslog-client twice... :-o !
> > >
> > > I could hereafter easily edit my /etc/rsyslog.conf respectively:
> > > ---
> > > #SET PRIVILEGES
> > > $PreserveFQDN on
> > > $PrivDropToGroup <GROUP>
> > > $PrivDropToUser <USER>
> > > $DirCreateMode 0750
> > > $FileCreateMode 0640
> > > $UMASK 0027
> > >
> > > #LOAD MODULES
> > > $ModLoad imudp
> > > $UDPServerRun 514
> > > $UDPServerAddress 127.0.0.1
> > > $ModLoad imtcp
> > > $InputTCPServerRun 514
> > >
> > > #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-
> in to
> > > enable...)
> > > #*.info;mail.none;authpriv.none;cron.none
> > > /var/log/messages-debug;RSYSLOG_DebugFormat
> > >
> > > #SET DESTINATION FOR LOGS
> > > $template
> > >
> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
> > > $template
> > > DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
> > > $template
> > >
> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
> > > $template
> > > DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
> > > $template
> > >
> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
> > > $template
> > > DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
> > > $template
> > > DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
> > >
> > > $template
> > >
> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
> > > s"
> > > $template
> > >
> DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
> > > $template
> > >
> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
> > > $template
> > > DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
> > > $template
> > >
> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
> > > $template
> > >
> DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
> > > $template
> > > DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
> > >
> > > #SET LOGGING CONDITIONS
> > > if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
> > > if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
> > > ?DYNsecure
> > > if $syslogfacility-text == 'mail' and $fromhost != '???' then
> > > ?DYNmaillog
> > > if $syslogfacility-text == 'cron' and $fromhost != '???' then
> ?DYNcron
> > > if $syslogseverity-text == 'crit' and $fromhost != '???' then
> > > ?DYNspooler
> > > if $syslogfacility-text == 'local7' and $fromhost != '???' then
> > > ?DYNboot
> > > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > > 'WARNING'
> > > and $fromhost != '???' then ?DYNtraps
> > >
> > > if $syslogseverity <= '6' and $fromhost == '???' then
> ?DYNIPmessages
> > > if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
> > > ?DYNIPsecure
> > > if $syslogfacility-text == 'mail' and $fromhost == '???' then
> > > ?DYNIPmaillog
> > > if $syslogfacility-text == 'cron' and $fromhost == '???' then
> > > ?DYNIPcron
> > > if $syslogseverity-text == 'crit' and $fromhost == '???' then
> > > ?DYNIPspooler
> > > if $syslogfacility-text == 'local7' and $fromhost == '???' then
> > > ?DYNIPboot
> > > if $syslogfacility-text == 'local6' and $syslogseverity-text ==
> > > 'WARNING'
> > > and $fromhost == '???' then ?DYNIPtraps
> > > ---
> > >
> > > David+Rainer: thanks for your help... much appreciated...:-) !
> > >
> > > Br.
> > > ~maymann
> > >
> > > 2012/2/4 <david [at] lang>
> > >
> > > > I was actually meaning for you to do this on the server where you
> are
> > > > seeing the ??? show up.
> > > >
> > > > but this does show that the sending machine thinks it's doing
> > > everythig
> > > > correcty (assuming the <HOSTNAME> you put in the message below is
> > > actually
> > > > correct)
> > > >
> > > > what I would want to see from the server log is one of the
> messages
> > > with
> > > > the ??? in it that you are trying to fix.
> > > >
> > > >
> > > > David Lang
> > > >
> > > > On Fri, 3 Feb 2012, Michael Maymann wrote:
> > > >
> > > > Hi,
> > > >>
> > > >> David: thanks for you reply...:-) !
> > > >>
> > > >> This is not a known client causing the "???" entries - I don't
> know
> > > the
> > > >> ip(s)/hostname(s), and this is why i would like to log IP
> instead of
> > > >> hostname - as my guess is it is a network device without DNS
> > > entry...:-( !
> > > >>
> > > >> Can I troubleshoot on the server somehow similar... or was that
> the
> > > >> intention all along...:-o !
> > > >>
> > > >> Here is the client-debug output anyways...:
> > > >> # cat messages-debug
> > > >> Debug line with all properties:
> > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > >> PRI: 6,
> > > >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> > > PROCID:
> > > >> '-', MSGID: '-',
> > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > > >> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > >> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > >> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
> > > >>
> > > >> Debug line with all properties:
> > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > >> PRI: 46,
> > > >> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
> > > 'rsyslogd',
> > > >> PROCID: '-', MSGID: '-',
> > > >> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
> > > >> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> pid="13432"
> > > >> x-info="
> > > >> http://www.rsyslog.com"] (re)start'
> > > >> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > > pid="13432"
> > > >> x-info="http://www.rsyslog.com**"] (re)start'
> > > >> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
> > > pid="13432"
> > > >> x-info="http://www.rsyslog.com**"] (re)start'
> > > >>
> > > >> Debug line with all properties:
> > > >> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
> > > '<HOSTNAME>',
> > > >> PRI: 13,
> > > >> syslogtag 'root:', programname: 'root', APP-NAME: 'root',
> PROCID: '-
> > > ',
> > > >> MSGID: '-',
> > > >> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
> > > >> msg: ' hej'
> > > >> escaped msg: ' hej'
> > > >> rawmsg: '<13>Feb 3 11:14:30 root: hej'
> > > >>
> > > >>
> > > >> Thanks in advance :-) !
> > > >> ~maymann
> > > >>
> > > >>
> > > >> 2012/2/3 <david [at] lang>
> > > >>
> > > >> oops, that should have been RSYSLOG_DebugFormat template.
> > > >>>
> > > >>> David Lang
> > > >>>
> > > >>> On Thu, 2 Feb 2012, david [at] lang wrote:
> > > >>>
> > > >>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
> > > >>>
> > > >>>> From: david [at] lang
> > > >>>>
> > > >>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > > >>>> To: rsyslog-users <rsyslog [at] lists>
> > > >>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > %IP%
> > > >>>>
> > > >>>> what does one of these messages look like if you write it out
> with
> > > the
> > > >>>> RSYSLOG_DEBUG template?
> > > >>>>
> > > >>>> David Lang
> > > >>>>
> > > >>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
> > > >>>>
> > > >>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
> > > >>>>
> > > >>>>> From: Michael Maymann <michael [at] maymann>
> > > >>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
> > > >>>>> To: rsyslog-users <rsyslog [at] lists>
> > > >>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST%
> ==
> > > %IP%
> > > >>>>>
> > > >>>>> Please... Anyone?
> > > >>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann"
> <michael [at] maymann>
> > > wrote:
> > > >>>>>
> > > >>>>> Hi,
> > > >>>>>
> > > >>>>>>
> > > >>>>>> got it started... but still ??? dir+logfiles are showing
> up...
> > > >>>>>> This is now my rsyslog.conf:
> > > >>>>>> #SET PRIVILEGES
> > > >>>>>> $PreserveFQDN on
> > > >>>>>> $PrivDropToGroup <GROUP>
> > > >>>>>> $PrivDropToUser <USER>
> > > >>>>>> $DirCreateMode 0750
> > > >>>>>> $FileCreateMode 0640
> > > >>>>>> $UMASK 0027
> > > >>>>>>
> > > >>>>>> #LOAD MODULES
> > > >>>>>> $ModLoad imudp
> > > >>>>>> $UDPServerRun 514
> > > >>>>>> $UDPServerAddress 127.0.0.1
> > > >>>>>> $ModLoad imtcp
> > > >>>>>> $InputTCPServerRun 514
> > > >>>>>>
> > > >>>>>> #SET DESTINATION FOR LOGS
> > > >>>>>> $template
> > > >>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > > >>>>>> $MONTH%_messages"
> > > >>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
> > > >>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
> > > >>>>>> *secure"
> > > >>>>>> $template
> > > >>>>>>
> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > > >>>>>> _**maillog"
> > > >>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>> cron"
> > > >>>>>> $template
> > > >>>>>>
> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
> > > >>>>>> _**spooler"
> > > >>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
> > > >>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>> boot.log"
> > > >>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > > >>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
> > > >>>>>> traps"
> > > >>>>>>
> > > >>>>>> $template
> > > >>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-
> IP%_%$****
> > > >>>>>> YEAR%.%$MONTH%_messages"
> > > >>>>>> $template
> > > >>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > > >>>>>> YEAR%.%$MONTH%_secure"
> > > >>>>>> $template
> > > >>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > > >>>>>> YEAR%.%$MONTH%_maillog"
> > > >>>>>> $template
> > > >>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>> MONTH%_cron"
> > > >>>>>> $template
> > > >>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > > >>>>>> YEAR%.%$MONTH%_spooler"
> > > >>>>>> $template
> > > >>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>> MONTH%_boot.log"
> > > >>>>>> $template
> > > >>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>> MONTH%_traps"
> > > >>>>>>
> > > >>>>>> #SET LOGGING CONDITIONS
> > > >>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
> > > ?DYNmessages
> > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
> > > then
> > > >>>>>> ?DYNsecure
> > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???'
> then
> > > >>>>>> ?DYNmaillog
> > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???'
> then
> > > ?DYNcron
> > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???'
> then
> > > >>>>>> ?DYNspooler
> > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???'
> then
> > > >>>>>> ?DYNboot
> > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> > > >>>>>> 'WARNING'
> > > >>>>>> and $fromhost != '???' then ?DYNtraps
> > > >>>>>>
> > > >>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
> > > ?DYNIPmessages
> > > >>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
> > > then
> > > >>>>>> ?DYNIPsecure
> > > >>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???'
> then
> > > >>>>>> ?DYNIPmaillog
> > > >>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???'
> then
> > > >>>>>> ?DYNIPcron
> > > >>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???'
> then
> > > >>>>>> ?DYNIPspooler
> > > >>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???'
> then
> > > >>>>>> ?DYNIPboot
> > > >>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
> ==
> > > >>>>>> 'WARNING'
> > > >>>>>> and $fromhost == '???' then ?DYNIPtraps
> > > >>>>>>
> > > >>>>>> I have tried with $fromhost, $fromhost-ip and $hostname -
> but
> > > all
> > > >>>>>> creates
> > > >>>>>> ??? dir+files...
> > > >>>>>> What variable should I use to handle this properly ?
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> Thanks in advance :-) !
> > > >>>>>> ~maymann
> > > >>>>>>
> > > >>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
> > > >>>>>>
> > > >>>>>> Hi,
> > > >>>>>>
> > > >>>>>>>
> > > >>>>>>> David: thanks for your reply...
> > > >>>>>>> Here is my new rsyslog.conf:
> > > >>>>>>> #SET PRIVILEGES
> > > >>>>>>> $PreserveFQDN on
> > > >>>>>>> $PrivDropToGroup <GROUP>
> > > >>>>>>> $PrivDropToUser <USER>
> > > >>>>>>> $DirCreateMode 0750
> > > >>>>>>> $FileCreateMode 0640
> > > >>>>>>> $UMASK 0027
> > > >>>>>>>
> > > >>>>>>> #LOAD MODULES
> > > >>>>>>> $ModLoad imudp
> > > >>>>>>> $UDPServerRun 514
> > > >>>>>>> $UDPServerAddress 127.0.0.1
> > > >>>>>>> $ModLoad imtcp
> > > >>>>>>> $InputTCPServerRun 514
> > > >>>>>>>
> > > >>>>>>> #SET DESTINATION FOR LOGS
> > > >>>>>>> $template
> > > >>>>>>>
> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
> > > >>>>>>> $MONTH%_messages"
> > > >>>>>>> $template
> > > >>>>>>>
> > > DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>>> **secure"
> > > >>>>>>>
> > > >>>>>>> $template
> > > >>>>>>>
> > > DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > > >>>>>>> maillog"
> > > >>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
> > > >>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
> > > >>>>>>> cron"
> > > >>>>>>> $template
> > > >>>>>>>
> > > DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
> > > >>>>>>> spooler"
> > > >>>>>>> $template
> > > >>>>>>>
> > > DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
> > > >>>>>>> boot.log"
> > > >>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
> > > >>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
> > > >>>>>>> *traps"
> > > >>>>>>>
> > > >>>>>>> $template
> > > >>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-
> IP%_%$****
> > > >>>>>>> YEAR%.%$MONTH%_messages"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
> > > >>>>>>> YEAR%.%$MONTH%_secure"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-
> IP%_%$****
> > > >>>>>>> YEAR%.%$MONTH%_maillog"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>>> MONTH%_cron"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-
> IP%_%$****
> > > >>>>>>> YEAR%.%$MONTH%_spooler"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>>> MONTH%_boot.log"
> > > >>>>>>> $template
> > > >>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
> > > IP%_%$YEAR%.%$****
> > > >>>>>>> MONTH%_traps"
> > > >>>>>>>
> > > >>>>>>> #SET LOGGING CONDITIONS
> > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
> > > ?DYNmessages
> > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% !=
> '???'
> > > then
> > > >>>>>>> ?DYNsecure
> > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???'
> then
> > > >>>>>>> ?DYNmaillog
> > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???'
> then
> > > >>>>>>> ?DYNcron
> > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???'
> then
> > > >>>>>>> ?DYNspooler
> > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
> > > then
> > > >>>>>>> ?DYNboot
> > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-
> text ==
> > > >>>>>>> 'WARNING'
> > > >>>>>>> and %FROMHOST% != '???' then ?DYNtraps
> > > >>>>>>>
> > > >>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
> > > ?DYNIPmessages
> > > >>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% ==
> '???'
> > > then
> > > >>>>>>> ?DYNIPsecure
> > > >>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???'
> then
> > > >>>>>>> ?DYNIPmaillog
> > > >>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???'
> then
> > > >>>>>>> ?DYNIPcron
> > > >>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???'
> then
> > > >>>>>>> ?DYNIPspooler
> > > >>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
> > > then
> > > >>>>>>> ?DYNIPboot
> > > >>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-
> text ==
> > > >>>>>>> 'WARNING'
> > > >>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
> > > >>>>>>>
> > > >>>>>>> but it fails...:
> > > >>>>>>> # service rsyslog start
> > > >>>>>>> Starting system logger: rsyslogd: run failed with error -
> 2207
> > > (see
> > > >>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn
> what
> > > that
> > > >>>>>>> number
> > > >>>>>>> means)
> > > >>>>>>> [
> OK
> > > ]
> > > >>>>>>>
> > > >>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
> > > correct or
> > > >>>>>>> how
> > > >>>>>>> is this done...
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> Thanks in advance :-) !
> > > >>>>>>> ~maymann
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>> 2012/2/1 <david [at] lang>
> > > >>>>>>>
> > > >>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
> > > >>>>>>>
> > > >>>>>>>
> > > >>>>>>>> Hi,
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>> I want to log information about hosts that are not
> logging
> > > with
> > > >>>>>>>>> correct
> > > >>>>>>>>> HOSTNAME.
> > > >>>>>>>>> In my current setup, I get a dir "???" where these
> host(s)
> > > are
> > > >>>>>>>>> logging
> > > >>>>>>>>> to...
> > > >>>>>>>>>
> > > >>>>>>>>> I would like to change this to the hosts IP instead,
> > > something
> > > >>>>>>>>> like:
> > > >>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> rsyslog cannot do what you are asking. It can't assign a
> > > value to
> > > >>>>>>>> a
> > > >>>>>>>> property.
> > > >>>>>>>>
> > > >>>>>>>> what you can do is to setup a different template and then
> if
> > > >>>>>>>> %fromhost%
> > > >>>>>>>> is your special pattern you can log with this different
> > > template.
> > > >>>>>>>>
> > > >>>>>>>> David Lang
> > > >>>>>>>> ______________________________******_________________
> > > >>>>>>>> rsyslog mailing list
> > > >>>>>>>>
> > >
> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
> > > iscon.net/****mailman/listinfo/rsyslog>
> > > >>>>>>>>
> > >
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > > discon.net/**mailman/listinfo/rsyslog>
> > > >>>>>>>> >
> > > >>>>>>>>
> > >
> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
> > > discon.net/mailman/**listinfo/rsyslog>
> > > >>>>>>>>
> > >
> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > > scon.net/mailman/listinfo/rsyslog>
> > > >>>>>>>> >
> > > >>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> http://www.rsyslog.com/******professional-
> > > services/<http://www.rsyslog.com/****professional-services/>
> > > >>>>>>>> <http://**www.rsyslog.com/****professional-
> > > services/<http://www.rsyslog.com/**professional-services/>
> > > >>>>>>>> >
> > > >>>>>>>> <http://**www.rsyslog.com/**professional-
> > > **services/<http://www.rsyslog.com/professional-**services/>
> > > >>>>>>>> <http:**//www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>>>>>>> >
> > > >>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>
> > > >>>>>>> ______________________________****_________________
> > > >>>>>>
> > > >>>>> rsyslog mailing list
> > > >>>>>
> > >
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > > con.net/**mailman/listinfo/rsyslog>
> > > >>>>>
> > >
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > > scon.net/mailman/listinfo/rsyslog>
> > > >>>>> >
> > > >>>>> http://www.rsyslog.com/****professional-
> > > services/<http://www.rsyslog.com/**professional-services/>
> > > >>>>> <http://**www.rsyslog.com/professional-
> > > **services/<http://www.rsyslog.com/professional-services/>
> > > >>>>> >
> > > >>>>>
> > > >>>>> ______________________________****_________________
> > > >>>>>
> > > >>>> rsyslog mailing list
> > > >>>>
> > >
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > > con.net/**mailman/listinfo/rsyslog>
> > > >>>>
> > >
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > > scon.net/mailman/listinfo/rsyslog>
> > > >>>> >
> > > >>>> http://www.rsyslog.com/****professional-
> > > services/<http://www.rsyslog.com/**professional-services/>
> > > >>>> <http://**www.rsyslog.com/professional-
> > > **services/<http://www.rsyslog.com/professional-services/>
> > > >>>> >
> > > >>>>
> > > >>>> ______________________________****_________________
> > > >>>>
> > > >>> rsyslog mailing list
> > > >>>
> > >
> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
> > > con.net/**mailman/listinfo/rsyslog>
> > > >>>
> > >
> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
> > > scon.net/mailman/listinfo/rsyslog>
> > > >>> >
> > > >>> http://www.rsyslog.com/****professional-
> > > services/<http://www.rsyslog.com/**professional-services/>
> > > >>> <http://**www.rsyslog.com/professional-
> > > **services/<http://www.rsyslog.com/professional-services/>
> > > >>> >
> > > >>>
> > > >>> ______________________________**_________________
> > > >> rsyslog mailing list
> > > >>
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > >> http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >>
> > > >> ______________________________**_________________
> > > > rsyslog mailing list
> > > >
> > >
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
> > > n.net/mailman/listinfo/rsyslog>
> > > > http://www.rsyslog.com/**professional-
> > > services/<http://www.rsyslog.com/professional-services/>
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

david at lang

Feb 6, 2012, 11:24 AM

Post #25 of 25 (316 views)
Permalink

Re: if %FROMHOST% == '???' then %FROMHOST% == %IP% [In reply to]

On Mon, 6 Feb 2012, Rainer Gerhards wrote:

>> -----Original Message-----
>> From: rsyslog-bounces [at] lists [mailto:rsyslog-
>> bounces [at] lists] On Behalf Of david [at] lang
>> Sent: Saturday, February 04, 2012 9:27 AM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% == %IP%
>>
>> If Rainer creates the instramented version it would still be good to
>> see
>> what's going on. I would say that for fromhost-ip to be '???' is always
>> a
>> bug, and if a failed DNS lookup makes the fromhost be '???' instead of
>> the
>> IP address, I would also consider that a bug.
>
> Yup, I agree here. It's most probably a bug, at least if no message
> indicating something malicious goes along with the problem. Rsyslog checks if
> it can trust the IP and prefers not to write it if there is proof something
> malicious goes on - the ??? then indicate we do not know the actual IP and is
> probably the best to be done in that case. See [1], especially the comments,
> for details. I have audited the code and do not see anything obviously wrong.
> I noticed that there is already a lot of good debug instrumentation present,
> so I just added one additional output, which makes it somewhat easier to scan
> for failures inside the log file. It also provides the ultimate proof of why
> the function indicates failure.

under what condition would we not be able to get the IP address of the far
end of the connection?

David Lang

> @Michael: You can obtain the new version via the git master branch (let me
> know if you have problems obtaining it). Please try it out. We need to see at
> least one occurrence of ??? in order to track down what is going on.
>
>> It would be good to track down what's actually happening here.
> Indeed, especially as this is the prime reason for making separate devel and
> stable branches available. ;-)
>
> Rainer
> [1]
> http://git.adiscon.com/?p=rsyslog.git;a=blob;f=runtime/dnscache.c;h=549bcd932
> 8d53c4da484ac0c7dbd01c6aa2db415;hb=HEAD#l147
>>
>> David Lang
>>
>> On Sat, 4 Feb 2012, Michael
>> Maymann wrote:
>>
>>> Hi,
>>>
>>> SOLVED...
>>>
>>> got it working...:-) !
>>>
>>> I enabled debugging (David: thanks for the hint) and this was one of
>> the
>>> entries:
>>> ---
>>> Debug line with all properties:
>>> FROMHOST: '???', fromhost-ip: '???', HOSTNAME: '<IP>', PRI: 14,
>>> syslogtag '00828', programname: '00828', APP-NAME: '00828', PROCID:
>> '-',
>>> MSGID: '-',
>>> TIMESTAMP: 'Feb 4 07:29:40', STRUCTURED-DATA: '-',
>>> msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device port
>> 2(VID
>>> unknown)(769216)'
>>> escaped msg: ' lldp: PVID mismatch on port C2(VID 1)with peer device
>> port
>>> 2(VID unknown)(769216)'
>>> inputname: imudp rawmsg: '<14> Feb 4 07:29:40 <IP> 00828 lldp: PVID
>>> mismatch on port C2(VID 1)with peer device port 2(VID
>> unknown)(769216)'
>>> ---
>>> The <IP> from the last line was ofcause the same as in the the
>> logfiles...
>>> I confuse this to be a client of a rsyslog-client twice... :-o !
>>>
>>> I could hereafter easily edit my /etc/rsyslog.conf respectively:
>>> ---
>>> #SET PRIVILEGES
>>> $PreserveFQDN on
>>> $PrivDropToGroup <GROUP>
>>> $PrivDropToUser <USER>
>>> $DirCreateMode 0750
>>> $FileCreateMode 0640
>>> $UMASK 0027
>>>
>>> #LOAD MODULES
>>> $ModLoad imudp
>>> $UDPServerRun 514
>>> $UDPServerAddress 127.0.0.1
>>> $ModLoad imtcp
>>> $InputTCPServerRun 514
>>>
>>> #DEBUGMODE (disable "SET PRIVILEGES" & everything below + comment-in
>> to
>>> enable...)
>>> #*.info;mail.none;authpriv.none;cron.none
>>> /var/log/messages-debug;RSYSLOG_DebugFormat
>>>
>>> #SET DESTINATION FOR LOGS
>>> $template
>>>
>> DYNmessages,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_messages"
>>> $template
>>> DYNsecure,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>> DYNmaillog,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_maillog"
>>> $template
>> DYNcron,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>> DYNspooler,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNboot,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_boot.log"
>>> $template
>> DYNtraps,"<PATH_TO>/%FROMHOST%/%FROMHOST%_%$YEAR%.%$MONTH%_traps"
>>>
>>> $template
>>>
>> DYNIPmessages,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_message
>> s"
>>> $template
>>> DYNIPsecure,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_secure"
>>> $template
>>>
>> DYNIPmaillog,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_maillog"
>>> $template
>> DYNIPcron,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_cron"
>>> $template
>>>
>> DYNIPspooler,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_spooler"
>>> $template
>>> DYNIPboot,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_boot.log"
>>> $template
>>> DYNIPtraps,"<PATH_TO>/%HOSTNAME%/%HOSTNAME%_%$YEAR%.%$MONTH%_traps"
>>>
>>> #SET LOGGING CONDITIONS
>>> if $syslogseverity <= '6' and $fromhost != '???' then ?DYNmessages
>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???' then
>> ?DYNsecure
>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>> ?DYNmaillog
>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
>> ?DYNcron
>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>> ?DYNspooler
>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
>> ?DYNboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>> 'WARNING'
>>> and $fromhost != '???' then ?DYNtraps
>>>
>>> if $syslogseverity <= '6' and $fromhost == '???' then ?DYNIPmessages
>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???' then
>>> ?DYNIPsecure
>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>> ?DYNIPmaillog
>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
>> ?DYNIPcron
>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>> ?DYNIPspooler
>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>> ?DYNIPboot
>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>> 'WARNING'
>>> and $fromhost == '???' then ?DYNIPtraps
>>> ---
>>>
>>> David+Rainer: thanks for your help... much appreciated...:-) !
>>>
>>> Br.
>>> ~maymann
>>>
>>> 2012/2/4 <david [at] lang>
>>>
>>>> I was actually meaning for you to do this on the server where you
>> are
>>>> seeing the ??? show up.
>>>>
>>>> but this does show that the sending machine thinks it's doing
>> everythig
>>>> correcty (assuming the <HOSTNAME> you put in the message below is
>> actually
>>>> correct)
>>>>
>>>> what I would want to see from the server log is one of the messages
>> with
>>>> the ??? in it that you are trying to fix.
>>>>
>>>>
>>>> David Lang
>>>>
>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> David: thanks for you reply...:-) !
>>>>>
>>>>> This is not a known client causing the "???" entries - I don't know
>> the
>>>>> ip(s)/hostname(s), and this is why i would like to log IP instead
>> of
>>>>> hostname - as my guess is it is a network device without DNS
>> entry...:-( !
>>>>>
>>>>> Can I troubleshoot on the server somehow similar... or was that the
>>>>> intention all along...:-o !
>>>>>
>>>>> Here is the client-debug output anyways...:
>>>>> # cat messages-debug
>>>>> Debug line with all properties:
>>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> '<HOSTNAME>',
>>>>> PRI: 6,
>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
>> PROCID:
>>>>> '-', MSGID: '-',
>>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>>>> msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>>> escaped msg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>>> rawmsg: 'imklog 4.6.2, log source = /proc/kmsg started.'
>>>>>
>>>>> Debug line with all properties:
>>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> '<HOSTNAME>',
>>>>> PRI: 46,
>>>>> syslogtag 'rsyslogd:', programname: 'rsyslogd', APP-NAME:
>> 'rsyslogd',
>>>>> PROCID: '-', MSGID: '-',
>>>>> TIMESTAMP: 'Feb 3 11:14:24', STRUCTURED-DATA: '-',
>>>>> msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-pid="13432"
>>>>> x-info="
>>>>> http://www.rsyslog.com"] (re)start'
>>>>> escaped msg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
>> pid="13432"
>>>>> x-info="http://www.rsyslog.com**"] (re)start'
>>>>> rawmsg: ' [origin software="rsyslogd" swVersion="4.6.2" x-
>> pid="13432"
>>>>> x-info="http://www.rsyslog.com**"] (re)start'
>>>>>
>>>>> Debug line with all properties:
>>>>> FROMHOST: '<HOSTNAME>', fromhost-ip: '127.0.0.1', HOSTNAME:
>> '<HOSTNAME>',
>>>>> PRI: 13,
>>>>> syslogtag 'root:', programname: 'root', APP-NAME: 'root', PROCID:
>> '-',
>>>>> MSGID: '-',
>>>>> TIMESTAMP: 'Feb 3 11:14:30', STRUCTURED-DATA: '-',
>>>>> msg: ' hej'
>>>>> escaped msg: ' hej'
>>>>> rawmsg: '<13>Feb 3 11:14:30 root: hej'
>>>>>
>>>>>
>>>>> Thanks in advance :-) !
>>>>> ~maymann
>>>>>
>>>>>
>>>>> 2012/2/3 <david [at] lang>
>>>>>
>>>>> oops, that should have been RSYSLOG_DebugFormat template.
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>> On Thu, 2 Feb 2012, david [at] lang wrote:
>>>>>>
>>>>>> Date: Thu, 2 Feb 2012 22:44:46 -0800 (PST)
>>>>>>
>>>>>>> From: david [at] lang
>>>>>>>
>>>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> %IP%
>>>>>>>
>>>>>>> what does one of these messages look like if you write it out
>> with the
>>>>>>> RSYSLOG_DEBUG template?
>>>>>>>
>>>>>>> David Lang
>>>>>>>
>>>>>>> On Fri, 3 Feb 2012, Michael Maymann wrote:
>>>>>>>
>>>>>>> Date: Fri, 3 Feb 2012 07:00:26 +0100
>>>>>>>
>>>>>>>> From: Michael Maymann <michael [at] maymann>
>>>>>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>>>>>> To: rsyslog-users <rsyslog [at] lists>
>>>>>>>> Subject: Re: [rsyslog] if %FROMHOST% == '???' then %FROMHOST% ==
>> %IP%
>>>>>>>>
>>>>>>>> Please... Anyone?
>>>>>>>> On Feb 2, 2012 2:17 PM, "Michael Maymann" <michael [at] maymann>
>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>>
>>>>>>>>> got it started... but still ??? dir+logfiles are showing up...
>>>>>>>>> This is now my rsyslog.conf:
>>>>>>>>> #SET PRIVILEGES
>>>>>>>>> $PreserveFQDN on
>>>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>>>> $PrivDropToUser <USER>
>>>>>>>>> $DirCreateMode 0750
>>>>>>>>> $FileCreateMode 0640
>>>>>>>>> $UMASK 0027
>>>>>>>>>
>>>>>>>>> #LOAD MODULES
>>>>>>>>> $ModLoad imudp
>>>>>>>>> $UDPServerRun 514
>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>> $ModLoad imtcp
>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>
>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>> $template
>>>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>> $MONTH%_messages"
>>>>>>>>> $template DYNsecure,"PATH_TO/%FROMHOST%/**
>>>>>>>>> **%FROMHOST%_%$YEAR%.%$MONTH%_***
>>>>>>>>> *secure"
>>>>>>>>> $template
>>>>>>>>>
>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>>>> _**maillog"
>>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>> cron"
>>>>>>>>> $template
>>>>>>>>>
>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**
>>>>>>>>> _**spooler"
>>>>>>>>> $template DYNboot,"PATH_TO/%FROMHOST%/%***
>>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>> boot.log"
>>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>>> traps"
>>>>>>>>>
>>>>>>>>> $template
>>>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>>>> $template
>>>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>>>> $template
>>>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>>>> $template
>>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>> MONTH%_cron"
>>>>>>>>> $template
>>>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>>>> $template
>>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>> MONTH%_boot.log"
>>>>>>>>> $template
>>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>> MONTH%_traps"
>>>>>>>>>
>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>> if $syslogseverity <= '6' and $fromhost != '???' then
>> ?DYNmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost != '???'
>> then
>>>>>>>>> ?DYNsecure
>>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost != '???' then
>>>>>>>>> ?DYNmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost != '???' then
>> ?DYNcron
>>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost != '???' then
>>>>>>>>> ?DYNspooler
>>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost != '???' then
>>>>>>>>> ?DYNboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>> 'WARNING'
>>>>>>>>> and $fromhost != '???' then ?DYNtraps
>>>>>>>>>
>>>>>>>>> if $syslogseverity <= '6' and $fromhost == '???' then
>> ?DYNIPmessages
>>>>>>>>> if $syslogfacility-text == 'authpriv' and $fromhost == '???'
>> then
>>>>>>>>> ?DYNIPsecure
>>>>>>>>> if $syslogfacility-text == 'mail' and $fromhost == '???' then
>>>>>>>>> ?DYNIPmaillog
>>>>>>>>> if $syslogfacility-text == 'cron' and $fromhost == '???' then
>>>>>>>>> ?DYNIPcron
>>>>>>>>> if $syslogseverity-text == 'crit' and $fromhost == '???' then
>>>>>>>>> ?DYNIPspooler
>>>>>>>>> if $syslogfacility-text == 'local7' and $fromhost == '???' then
>>>>>>>>> ?DYNIPboot
>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text ==
>>>>>>>>> 'WARNING'
>>>>>>>>> and $fromhost == '???' then ?DYNIPtraps
>>>>>>>>>
>>>>>>>>> I have tried with $fromhost, $fromhost-ip and $hostname - but
>> all
>>>>>>>>> creates
>>>>>>>>> ??? dir+files...
>>>>>>>>> What variable should I use to handle this properly ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks in advance :-) !
>>>>>>>>> ~maymann
>>>>>>>>>
>>>>>>>>> 2012/2/2 Michael Maymann <michael [at] maymann>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> David: thanks for your reply...
>>>>>>>>>> Here is my new rsyslog.conf:
>>>>>>>>>> #SET PRIVILEGES
>>>>>>>>>> $PreserveFQDN on
>>>>>>>>>> $PrivDropToGroup <GROUP>
>>>>>>>>>> $PrivDropToUser <USER>
>>>>>>>>>> $DirCreateMode 0750
>>>>>>>>>> $FileCreateMode 0640
>>>>>>>>>> $UMASK 0027
>>>>>>>>>>
>>>>>>>>>> #LOAD MODULES
>>>>>>>>>> $ModLoad imudp
>>>>>>>>>> $UDPServerRun 514
>>>>>>>>>> $UDPServerAddress 127.0.0.1
>>>>>>>>>> $ModLoad imtcp
>>>>>>>>>> $InputTCPServerRun 514
>>>>>>>>>>
>>>>>>>>>> #SET DESTINATION FOR LOGS
>>>>>>>>>> $template
>>>>>>>>>> DYNmessages,"PATH_TO/%****FROMHOST%/%FROMHOST%_%$YEAR%.%****
>>>>>>>>>> $MONTH%_messages"
>>>>>>>>>> $template
>>>>>>>>>>
>> DYNsecure,"PATH_TO/%FROMHOST%/****%FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>>> **secure"
>>>>>>>>>>
>>>>>>>>>> $template
>>>>>>>>>>
>> DYNmaillog,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>>>> maillog"
>>>>>>>>>> $template DYNcron,"PATH_TO/%FROMHOST%/%***
>>>>>>>>>> *FROMHOST%_%$YEAR%.%$MONTH%_**
>>>>>>>>>> cron"
>>>>>>>>>> $template
>>>>>>>>>>
>> DYNspooler,"PATH_TO/%FROMHOST%****/%FROMHOST%_%$YEAR%.%$MONTH%**_**
>>>>>>>>>> spooler"
>>>>>>>>>> $template
>>>>>>>>>>
>> DYNboot,"PATH_TO/%FROMHOST%/%****FROMHOST%_%$YEAR%.%$MONTH%_****
>>>>>>>>>> boot.log"
>>>>>>>>>> $template DYNtraps,"PATH_TO/%FROMHOST%/%**
>>>>>>>>>> **FROMHOST%_%$YEAR%.%$MONTH%_*
>>>>>>>>>> *traps"
>>>>>>>>>>
>>>>>>>>>> $template
>>>>>>>>>> DYNIPmessages,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>>> YEAR%.%$MONTH%_messages"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPsecure,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>>> YEAR%.%$MONTH%_secure"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPmaillog,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>>> YEAR%.%$MONTH%_maillog"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPcron,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>>> MONTH%_cron"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPspooler,"PATH_TO/%****FROMHOST-IP%/%FROMHOST-IP%_%$****
>>>>>>>>>> YEAR%.%$MONTH%_spooler"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPboot,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>>> MONTH%_boot.log"
>>>>>>>>>> $template
>>>>>>>>>> DYNIPtraps,"PATH_TO/%FROMHOST-****IP%/%FROMHOST-
>> IP%_%$YEAR%.%$****
>>>>>>>>>> MONTH%_traps"
>>>>>>>>>>
>>>>>>>>>> #SET LOGGING CONDITIONS
>>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% != '???' then
>> ?DYNmessages
>>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% != '???'
>> then
>>>>>>>>>> ?DYNsecure
>>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% != '???' then
>>>>>>>>>> ?DYNmaillog
>>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% != '???' then
>>>>>>>>>> ?DYNcron
>>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% != '???' then
>>>>>>>>>> ?DYNspooler
>>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% != '???'
>> then
>>>>>>>>>> ?DYNboot
>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
>> ==
>>>>>>>>>> 'WARNING'
>>>>>>>>>> and %FROMHOST% != '???' then ?DYNtraps
>>>>>>>>>>
>>>>>>>>>> if $syslogseverity <= '6' and %FROMHOST% == '???' then
>> ?DYNIPmessages
>>>>>>>>>> if $syslogfacility-text == 'authpriv' and %FROMHOST% == '???'
>> then
>>>>>>>>>> ?DYNIPsecure
>>>>>>>>>> if $syslogfacility-text == 'mail' and %FROMHOST% == '???' then
>>>>>>>>>> ?DYNIPmaillog
>>>>>>>>>> if $syslogfacility-text == 'cron' and %FROMHOST% == '???' then
>>>>>>>>>> ?DYNIPcron
>>>>>>>>>> if $syslogseverity-text == 'crit' and %FROMHOST% == '???' then
>>>>>>>>>> ?DYNIPspooler
>>>>>>>>>> if $syslogfacility-text == 'local7' and %FROMHOST% == '???'
>> then
>>>>>>>>>> ?DYNIPboot
>>>>>>>>>> if $syslogfacility-text == 'local6' and $syslogseverity-text
>> ==
>>>>>>>>>> 'WARNING'
>>>>>>>>>> and %FROMHOST% == '???' then ?DYNIPtraps
>>>>>>>>>>
>>>>>>>>>> but it fails...:
>>>>>>>>>> # service rsyslog start
>>>>>>>>>> Starting system logger: rsyslogd: run failed with error -2207
>> (see
>>>>>>>>>> rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what
>> that
>>>>>>>>>> number
>>>>>>>>>> means)
>>>>>>>>>> [ OK
>> ]
>>>>>>>>>>
>>>>>>>>>> my guess is it is my %FROMHOST% == '???' - is this format
>> correct or
>>>>>>>>>> how
>>>>>>>>>> is this done...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks in advance :-) !
>>>>>>>>>> ~maymann
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2012/2/1 <david [at] lang>
>>>>>>>>>>
>>>>>>>>>> On Wed, 1 Feb 2012, Michael Maymann wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I want to log information about hosts that are not logging
>> with
>>>>>>>>>>>> correct
>>>>>>>>>>>> HOSTNAME.
>>>>>>>>>>>> In my current setup, I get a dir "???" where these host(s)
>> are
>>>>>>>>>>>> logging
>>>>>>>>>>>> to...
>>>>>>>>>>>>
>>>>>>>>>>>> I would like to change this to the hosts IP instead,
>> something
>>>>>>>>>>>> like:
>>>>>>>>>>>> if %FROMHOST% == '???' then %FROMHOST% == %IP
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> rsyslog cannot do what you are asking. It can't assign a
>> value to
>>>>>>>>>>> a
>>>>>>>>>>> property.
>>>>>>>>>>>
>>>>>>>>>>> what you can do is to setup a different template and then if
>>>>>>>>>>> %fromhost%
>>>>>>>>>>> is your special pattern you can log with this different
>> template.
>>>>>>>>>>>
>>>>>>>>>>> David Lang
>>>>>>>>>>> ______________________________******_________________
>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>>
>> http://lists.adiscon.net/******mailman/listinfo/rsyslog<http://lists.ad
>> iscon.net/****mailman/listinfo/rsyslog>
>>>>>>>>>>>
>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
>> discon.net/**mailman/listinfo/rsyslog>
>>>>>>>>>>>>
>>>>>>>>>>>
>> <http:**//lists.adiscon.net/**mailman/**listinfo/rsyslog<http://lists.a
>> discon.net/mailman/**listinfo/rsyslog>
>>>>>>>>>>>
>> <htt**p://lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
>> scon.net/mailman/listinfo/rsyslog>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.rsyslog.com/******professional-
>> services/<http://www.rsyslog.com/****professional-services/>
>>>>>>>>>>> <http://**www.rsyslog.com/****professional-
>> services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>>>>>>
>>>>>>>>>>> <http://**www.rsyslog.com/**professional-
>> **services/<http://www.rsyslog.com/professional-**services/>
>>>>>>>>>>> <http:**//www.rsyslog.com/**professional-
>> services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ______________________________****_________________
>>>>>>>>>
>>>>>>>> rsyslog mailing list
>>>>>>>>
>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
>> con.net/**mailman/listinfo/rsyslog>
>>>>>>>>
>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
>> scon.net/mailman/listinfo/rsyslog>
>>>>>>>>>
>>>>>>>> http://www.rsyslog.com/****professional-
>> services/<http://www.rsyslog.com/**professional-services/>
>>>>>>>> <http://**www.rsyslog.com/professional-
>> **services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ______________________________****_________________
>>>>>>>>
>>>>>>> rsyslog mailing list
>>>>>>>
>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
>> con.net/**mailman/listinfo/rsyslog>
>>>>>>>
>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
>> scon.net/mailman/listinfo/rsyslog>
>>>>>>>>
>>>>>>> http://www.rsyslog.com/****professional-
>> services/<http://www.rsyslog.com/**professional-services/>
>>>>>>> <http://**www.rsyslog.com/professional-
>> **services/<http://www.rsyslog.com/professional-services/>
>>>>>>>>
>>>>>>>
>>>>>>> ______________________________****_________________
>>>>>>>
>>>>>> rsyslog mailing list
>>>>>>
>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adis
>> con.net/**mailman/listinfo/rsyslog>
>>>>>>
>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adi
>> scon.net/mailman/listinfo/rsyslog>
>>>>>>>
>>>>>> http://www.rsyslog.com/****professional-
>> services/<http://www.rsyslog.com/**professional-services/>
>>>>>> <http://**www.rsyslog.com/professional-
>> **services/<http://www.rsyslog.com/professional-services/>
>>>>>>>
>>>>>>
>>>>>> ______________________________**_________________
>>>>> rsyslog mailing list
>>>>>
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
>> n.net/mailman/listinfo/rsyslog>
>>>>> http://www.rsyslog.com/**professional-
>> services/<http://www.rsyslog.com/professional-services/>
>>>>>
>>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>>
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adisco
>> n.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-
>> services/<http://www.rsyslog.com/professional-services/>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads