MonitorWare Knowledge Base

Hello!

I`m wondering if someone have made working config file with if ... then ... else functions. I made config as following but there is two problems. First - if I add else at end rsyslogd create some weird subdirs and second - messages is not filtered by $syslogtag or this isn`t even implemented in rsyslog?

Code: Select all

if \
        ($source == 'host1' \
or \
        $source == 'host2') \
and \
        ($syslogtag != 'xinetd' \
or \
        $syslogtag != 'kernel') \
then    /var/log/log.log


Code: Select all

then    /var/log/log.log \
else    /var/log/otherlog.log


Following is startup script witch I use on RHEL5 Server for rsyslogd 3.* without klogd in case someone need -

Code: Select all

#!/bin/bash
# chkconfig: 2345 12 88
# Source function library.
. /etc/init.d/functions

RETVAL=0

start() {
        [ -x /usr/local/sbin/rsyslogd ] || exit 5

        # Source config
        if [ -f /etc/sysconfig/rsyslog ] ; then
                . /etc/sysconfig/rsyslog
        else
                SYSLOGD_OPTIONS="-c3"
        fi

        umask 077

        echo -n $"Starting system logger (rsyslog): "
        daemon rsyslogd $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        return $RETVAL
}
stop() {
        echo -n $"Shutting down system logger (rsyslog): "
        killproc rsyslogd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog
        return $RETVAL
}
rhstatus() {
        status rsyslogd
}
restart() {
        stop
        start
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        rhstatus
        ;;
  restart|reload)
        restart
        ;;
  condrestart)
        [ -f /var/lock/subsys/rsyslog ] && restart || :
        ;;
  *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart}"
        exit 2
esac

exit $?


Hi,

the problem with else is that it is not yet implemented It's on the list and if all goes well, you'll be able to use it on 2 month or so.

This link may also be useful for you (but maybe you already know it):

http://wiki.rsyslog.com/index.php/Syskl ... _directory

The $syslogtag should be supported.

I suggest you run rsyslogd interactively with the -d -n options. It'll generate a lot of debug output. You can either post it here or mail me at rgerhards@gmail.com (but post here you did!) then I can look into the log and see what's going wrong with that property.

HTH
Rainer

OK waiting for "else" implementation then, in mean time will test 3.19

Full config:

Code: Select all

$template default,"%timegenerated% %fromhost% %syslogtag%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate default
$ModLoad imudp  # provides UDP syslog reception
$ModLoad imtcp  # provides TCP syslog reception
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imuxsock
$ModLoad immark.so
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
if \
        ($source == 'host1' \
or \
        $source == 'host2') \
and \
        ($syslogtag != 'xinetd' \
or \
        $syslogtag != 'kernel') \
then    /var/log/test/luser.log


And output from rsyslogd -n -d

http://uploadshare.org/data/1210170097.out

on 3.19 - wait for 3.19.1, released today. That will save you hassle 3.19 is really experimental, just be warned. But it is much appreciated if you try it out and report bugs

rgerhards when you have time can you please look in my $syslogtag problem. Output from rsyslogd -n -d and cfg are in previous post. Thanks!

btw is only me or some global problem - when I authenticate here from main page or forum everything disappear - side menu, main window - everything, only forum functions normally.
I tried on both Firefox and Opera.

I overlooked the uploadshare link. But now when I try to access it, it always times out...

I`ll send you output to email then and everything is working now here when I authenticate.

Sorry for the sluggish response, there is currently so much going on (but it is getting better ). I have looked at the debug output, but unfortunately I trimmed it too much so that it is not really useful to analyze this problem (at least not it alone).

I would like to see what the parser extracts as the syslogtag field. So I would appreciate if you could use this template in your rsyslog.conf:

Code: Select all

$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
*.* /path/to/file;DEBUG


Note that the $template statement is all on one line. If that still doesn't lead us to a clue, I need to create a specially instrumented version for you.

Rainer

Thanks for the files (received via mail). The problem was always right in front of me, but I didn't notice. Have a look at your rules. They say: if ... ($syslogtag != 'xinetd' or $syslogtag != 'kernel'). I guess this is not what you really intended to say. Because this always evaluates to true If syslogtag is 'xinetd' then it is not kernel and vice versa Did you mean to place an "and" instead of the "or"?

Rainer

You got me confused. I think my config is right but I`ll explain what I want to achieve and maybe you could help me out.
So I have many boxes and from few of those boxes I want separate few syslogtags but every thing else from those few boxes I want to log to default file with all the other boxes thats why logical operand else would be really useful for me. I don`t know if it helps but I`ll try to write down some simple schema of logical steps for my config:
if (host1 or host2 [one must be true to return true]) and (syslogtag1 or syslogtag2 [one must be true to return true]) [both must be true to return true] then write file1 else [one or both not true] write file2

I hope someone can understand what I`m saying

sandiso wrote:So I have many boxes and from few of those boxes I want separate few syslogtags but every thing else from those few boxes I want to log to default file with all the other boxes thats why logical operand else would be really useful for me.

I have to admit that I do not understand this sentence

But the rest looks like you want to do

Code: Select all

if
        ($source == 'host1' \
or \
        $source == 'host2') \
and \
        ($syslogtag == 'xinetd' \
or \
        $syslogtag == 'kernel')


Note that I have changed the != to ==. With !=, the expression is always true, e.g. syslogtag is "kernel. Then we have $syslogtag != "xinetd or $syslogtag != 'kernel', which evaluates to 1 (because it is not xinetd) and 0 (because it is kernel). So you have 1 or 0, which leads us to 1. If the tag is "xinetd", it leads to 0 or 1 for the same reasons and thus to 1. If it is neither of the two, it leads to 1 or 1, which also is an overall 1. The only case where is could lead to an overall 0 is when syslogtag is BOTH "xinetd" and "kernel" at the same time - which is highly improbable

HTH
Rainer

I've re-read the whole thread. I think I now got it. Else is just a shortcut for not. So you probably want to do this here:

Code: Select all

if      ($source == 'host1' or  $source == 'host2') \
  and ($syslogtag == 'xinetd' or $syslogtag == 'kernel') \
  then /path/to/wherever

# and now the else case
if not(  ($source == 'host1' or  $source == 'host2') \
         and ($syslogtag == 'xinetd' or $syslogtag == 'kernel')  ) \
  then /path/to/wherever-else


Does that help?

Rainer