MonitorWare Knowledge Base

Hi all,

I've a little problem with regular epxression in Rsyslog 17.2.
In fact I just want to forward the message when the Hostname starts with 'z' or 'x' or ( htmn but not contains 'rsip).

So after some I've writed the following line without syntax error:

Code: Select all

if $HOSTNAME startswith 'x' or $HOSTNAME startswith 'z' or ($HOSTNAME startswith 'htmn' and not ($HOSTNAME contains 'rsip')) then @@192.168.107.21:4391;DBRecFmt   

My problem is that the forwarding only occur for the last statatement " ($HOSTNAME startswith 'htmn' and not ($HOSTNAME contains 'rsip') ". All message where HOSTNAME starts with 'x' or 'z' are not forwarded.

Anybody can help me?

Best regards,

Vince

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Can you post an example of a message that should have been caught but wasn't?

-HKS

Hi,

Thank you for your answer.

Have been caught :
htmnlogvipp1 12 10:50:04 ntpd kernel time sync enabled 2001
htmnhqzensvip57 auth 10:44:53 mbcd WARNING <2833>Flow::~Flow() Gen index=0 ix=1W ID=0

Havent been caught :
xzhzhbv045 local7 12:18:22 xzhzhbv045 %10SSH/5/fsm_move(l):- 2 -FSM MOVE FROM SSH_Sub1_Authentication TO SSH_Sub1_Channel

Thank you for your help

I can't find anything wrong with the regex (obviously - it's pretty simple), but I overlooked that you were forwarding this to another machine in the action space. Can you change the action (or add another line) to something like /var/log/test.log?

Code: Select all

if $HOSTNAME startswith 'x' or $HOSTNAME startswith 'z' or ($HOSTNAME startswith 'htmn' and not ($HOSTNAME contains 'rsip')) then /var/log/test.log


The logs should end up there, in which case we need to take a look at the configuration for 192.168.107.21.

-HKS

Hi,

Thank for reply.

I've done the test, here and it doesn't work. I've also done the following test wîthout success :

Code: Select all

if $HOSTNAME startswith 'x' or $HOSTNAME startswith 'z' or ($HOSTNAME startswith 'htmn' and not ($HOSTNAME contains 'rsip')) then /var/log/test.log
if $HOSTNAME startswith 'x' or $HOSTNAME startswith 'z' then /var/log/test.log
if $HOSTNAME startswith 'x' then /var/log/test.log

Any suggestion ?

Hmmm, there's definitely something weird going on. Let's try this:

Code: Select all

$template test, "HOSTNAME [%hostname%] FROMHOST [%fromhost%] MSG: %msg:::drop-last-lf%\n"
*.*          /var/log/test.log;test


I'm curious to see whether the hostname is what we expect it to be.

Also, can you post the DBRecFmt template that you're using?

I'm hoping to make some time to test this myself this afternoon, but it's not looking hopeful...

-HKS

Hi,

You're a genious

In fact the problem was I used "HOSTNAME" instead of "FROMHOST" now every things seems to run perfectly.

I just not understand why some entries works before....

Thank you VERY much for your help.

Vince

Fantastic, I'm glad it's working for you.

In fact the problem was I used "HOSTNAME" instead of "FROMHOST" now every things seems to run perfectly.

I just not understand why some entries works before....

The HOSTNAME property refers to the actual hostname section of a syslog packet while FROMHOST does a reverse DNS lookup on the source IP from the UDP packet. The difference between the two can be caused by a number of things:
a) The source does not follow RFC standards and so the HOSTNAME field does not contain the hostname
b) The source host does not know itself by the same name as reverse DNS does. As long as this is intentional, this isn't necessarily a bad thing
c) The syslog packet has traveled through a third machine (ie, Host A -> Host B -> Host C; HOSTNAME should contain Host A at all points, but the value of FROMHOST at Host C will actually be Host B)

Hope that clears up any confusion.

-HKS

hkspvt wrote:b) The source host does not know itself by the same name as reverse DNS does. As long as this is intentional, this isn't necessarily a bad thing

You right, in fact our access switches haven't any DNS configuration.

Thank you for help and knowledge

Have a nice day