>> This is what I've come up with.
>>
>> if $fromhost-ip == '209.216.111.114' then {
>> if $facility == 2 then { action(type="omfile" file="/var/log/maillog")
>> } else {
>> action(type="omfile" file="/var/log/maillog-other")
>> }
>>
>> but it then logged nothing after restarting successfully and produced
>> no indication of what was wrong in /var/log/messages. It also never
>> produces the /var/log/maillog-other file.
>>
>> I also tried to enable debugging in my rsyslog.conf:
>>
>> $DebugLevel 2
>> $DebugFile /var/log/rsyslog.log
>>
>> and while it produced too much output to be helpful, I did see that it
>> at least recorded that IP address.
>>
>
> Hard to tell without really seeing what is in those events that you're
> receiving and without seeing whole config.
>
> But.
>
> This form of debugging is _not_ what you need. It's for debugging the
> rsyslogd itself, not your rules. Get rid of it.
>
> As David already wrote, you want to use RSYSLOG_DebugFormat to write
> full event debug data to a file and see what properties and variables
> you have associated with the event. Watch out though because it logs
> huge amounts of data so your file will quickly grow beyond your
> expectations.
>
> So I'd go with:
>
> action(type="omfile" file="/tmp/debug.log" template="RSYSLOG_DebugFormat")
Okay, now I understand. It's produced output like:
FROMHOST: 'xavier', fromhost-ip: '127.0.0.1', HOSTNAME: 'xavier', PRI:
22,syslogtag 'postfix-117/qmgr[496743]:', programname: 'postfix-117',
APP-NAME: 'postfix-117', PROCID: '496743', MSGID: '-',TIMESTAMP: 'Jan 20
08:39:54', STRUCTURED-DATA: '-',msg: '6B1B930668306: removed' escaped
msg: '6B1B930668306: removed' inputname: imjournal rawmsg:
'6B1B930668306: removed' $!:{ "PRIORITY": "6", "_BOOT_ID":
"6ff20e0e797d45789b7c38229e26f928", "_MACHINE_ID":
"c4b32aa0d25c4a5d85432835f7c2e2ac", "_HOSTNAME": "xavier.example.com",
"_TRANSPORT": "syslog", "SYSLOG_FACILITY": "2", "_UID": "89", "_GID":
"89", "_CAP_EFFECTIVE": "0", "_SYSTEMD_CGROUP":
"\/system.slice\/postfix.service", "_SYSTEMD_UNIT": "postfix.service",
"_SYSTEMD_SLICE": "system.slice", "_SYSTEMD_INVOCATION_ID":
"dde7fdbb530148f89ad2ee01b46615ac", "_COMM": "qmgr", "_EXE":
"\/usr\/libexec\/postfix\/qmgr", "_CMDLINE": "qmgr -l -t unix -u",
"SYSLOG_IDENTIFIER": "postfix-117\/qmgr", "SYSLOG_PID": "496743",
"_PID": "496743", "SYSLOG_TIMESTAMP": "Jan 20 08:39:54 ", "MESSAGE":
"6B1B930668306: removed", "_SOURCE_REALTIME_TIMESTAMP": "1611149994883159" }
I've modified my config to the following:
if $fromhost-ip == "127.0.0.1" then {
if $syslogfacility == 2 then { action(type="omfile"
file="/var/log/maillog") }
} else {
action(type="omfile" file="/var/log/maillog-other")
}
}
It now logs only messages from the local host to /var/log/maillog, but
the maillog-other file is not logging messages from the other hosts
sending their maillogs to this server. What am I missing?
Here is my full config.
$MaxMessageSize 65536
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerBindRuleset remote
$ModLoad imuxsock
$ModLoad imklog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
$SystemLogRateLimitInterval 0
:msg,contains,"LOGDROP " /var/log/iptables.log
& stop
if $programname == 'audit' then {
action(type="omfile" file="/var/log/kernel.audit.log")
# if $syslogseverity >= 4 then stop # warning
if $syslogseverity >= 5 then stop # notice
# if $syslogseverity >= 6 then stop # info
}
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$IMJournalStateFile imjournal.state
$IMJournalIgnorePreviousMessages on
kern.none /dev/console
kern.* /var/log/kern.log
*.info;kern.none;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
action(type="omfile" file="/var/log/rsyslog.log"
template="RSYSLOG_DebugFormat")
if $fromhost-ip == "127.0.0.1" then {
if $syslogfacility == 2 then { action(type="omfile"
file="/var/log/maillog") }
} else {
action(type="omfile" file="/var/log/maillog-other")
}
}
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.