MonitorWare Knowledge Base

yes, I did a restart after every modification because a "reload" didn't work either...

will the debug log from the backup logserver suffice? it has the same configuration as the primary...


thanks

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

it doesn't really matter where the debug log is from, as long as it shows processing while the error occurs. So a backup server (or even a dedicated lab with non-real data) is fine.

Hi,

please find enclosed the requested debug log.

thanks

I am puzzld, the log does not match your config file. It does not contain any reference to /var/log/current... did you mix up files?

sorry for that... I modified some paths and tweaked the IP addresses... the rest belongs to the config file on the server...

thanks

so it works now?

Nope

so can you send me a debug log that actually has the problem? As I said, the log you posted does not have the problem you mentioned, because it's config does not write to the files that you say they were not written (aka "correct")

hi again,

long time no see

i've seen that some other users are having issues with filtering...
filter-questions-t9876.html is related to my original question, so it's good to have one answer in one place...

:fromhost-ip, isequal, "192.168.0.4" /var/log/router/systems.log
& ~
:fromhost-ip, isequal, "192.168.0.5" /var/log/switch/systems.log
& ~

is fine if you are happy with one big file but I need to have dynamic logfiles... so I approached it in two ways, none of which work :-/

note: /etc/rsyslog.conf has the following directives:
--
.
.
.
$IncludeConfig /etc/rsyslog.d/*.conf
$ResetConfigVariables
.
.
.

$template DynaFile,"/var/log/%HOSTNAME%.%$DAY%%$MONTH%%$YEAR%.log"
*.* -?DynaFile

[EOF]
--

approach 1:
---
/etc/rsyslog.d/networks.conf

$template NetworksFile,"/var/log/networks/%HOSTNAME%.%$DAY%%$MONTH%%$YEAR%.log"

if $source == '1.2.3.4' and ( ($syslogseverity-text == 'info') o
r ($syslogseverity-text == 'notice') ) and ( $syslogfacility-text
!= 'mail' and $syslogfacility-text != 'authpriv' and
$syslogfacility-text != 'cron' ) then ?NetworksFile

if $source == '1.2.3.5' and ( ($syslogseverity-text == 'info') o
r ($syslogseverity-text == 'notice') ) and ( $syslogfacility-text
!= 'mail' and $syslogfacility-text != 'authpriv' and
$syslogfacility-text != 'cron' ) then ?NetworksFile
---

...it yields same results if $fromhost-ip is used instead...



approach 2:
---
/etc/rsyslog.d/servers.conf

$template Servers,/var/log/servers/%HOSTNAME%.%$DAY%%$MONTH%%$YEAR%.log
:fromhost-ip, isequal, "1.3.5.7" *.* ?Servers
& ~
:fromhost-ip, isequal, "1.3.5.9" *.* ?Servers
& ~
:fromhost-ip, isequal, "1.3.5.11" *.* ?Servers
& ~
---

Once rsyslog is reloaded the target directories are empty and everything ends up under /var/log ... which is not desired.

Are my approaches correct? is the syntax valid?? rsyslog comes up cleanly but I like to ask anyway... the "-?TemplateName" or "?TemplateName" part confuses me a bit...

Thanks!

I think you should see error messages from rsyslog in your log files (or on stderr during a restart if you have a recent build). The template text must be enclosed in quotes, so it is

$template name,"/here/comes/your/path/%hostname%"

This article may also be helpful:

http://www.rsyslog.com/doc-multi_ruleset.html

But note that ruleset binding itself is only available in the very new versions. But the "traditional approach" is also described.

"?" is just the indicator that you have a dynafile action. The dash means "do not sync the file", which is the default in recent versions and only kept for backward compatiblity. So you do not need it.

Important is the discard action "~" (now also named ":omdiscard:", as this is probably easier to grasp). You can either repeat it, or chain actions by using "&" instead of a filter in the next line. So a line "& ~" means: "discard message after the previous action has been taken - provided that the filter evaluated to true).

HTH,
Rainer

Hello Rainer,

if this configuration is correct...

Code: Select all

$template Network, "/var/log/networks/%HOSTNAME%.%$DAY%%$MONTH%%$YEAR%.log"
:fromhost-ip, isequal, "1.2.3.4" -?Network
& ~
:fromhost-ip, isequal, "1.2.3.5" -?Network
& ~
:fromhost-ip, isequal, "1.2.3.6" -?Network
& ~

...then something is wrong with dynamic file templates, filters and destinations...

Am I doing something strange or wrong? am I overseeing the obvious?

Please help!

Thanks!!

Well, it depends on where you see the problem. What is other than you expect?

I expect to get log files created dynamically for each of the defined IPs/hostnames under the defined directory...

what would be the right way to proceed?

thanks!

yes, that should work, provided that the messages are well-formed and thus hostname is properly populated (from the security point of view, it would also be wise to use one of the secpath property replacer options together with hostname). To troubleshoot, it probably is useful to create a debug log.

unfortunately it doesn't work. All the logfiles for these devices end up under /var/log and not /varl/log/networks ...

question: is this

Code: Select all

   $template Network, "/var/log/networks/%HOSTNAME%.%$DAY%%$MONTH%%$YEAR%.log"
    :fromhost-ip, isequal, "1.2.3.4" -?Network
    & ~
    :fromhost-ip, isequal, "1.2.3.5" -?Network
    & ~
    :fromhost-ip, isequal, "1.2.3.6" -?Network
    & ~

overwritten by

Code: Select all

$template DynaFile,"/var/log/%HOSTNAME%.%$YEAR%%$MONTH%%$DAY%.log"
*.* -?DynaFile

at the end of the rsyslog.conf??

Thanks!