How to use Set Status Action?

Forum for the RSyslog Windows Agent. Here you can ask all questions regarding installation, configuration or occuring problems.

Moderator: rgerhards

Google Ads


How to use Set Status Action?

Postby rjcuk » Tue Oct 06, 2015 5:00 pm

Hello,

I have Rsyslog Windows Agent and using the Client Configuration (not Legacy) v3.1.0.213

I'm trying to use the Set Status action, by specifying a custom name e.g. custom_facility, and then setting a value. I'm then trying to compare these values later and use them in rules further down e.g. Syslog Forward, however they are returned as empty strings. What I am doing wrong?

I tried explicitly putting percents before and after the status name in its Set Status dialog, and I am correct using %custom_facility% as a Custom property eval and as text to print in the message being sent, but still the strings are empty.

Instead I am having to use Set Property, which works okay, however, matching on fields like syslogpriority does not seem to be working properly after customising it (this issue may go away if I can figure out how to use the status properties). So I know these rules are being triggered because they are picking up on the vars.

Many thanks for reading,

Robert
rjcuk
New
 
Posts: 9
Joined: Tue Oct 06, 2015 4:51 pm

Re: How to use Set Status Action?

Postby alorbach » Tue Oct 13, 2015 1:12 pm

I think the manual is not clear enough on how status variables work. They work not as properties but like global variables which persist between Events and can be used for comparison or calculation.

Properties on the other hand are only valid for the current Event.

Regarding the matching problem, could you explain what problem you are experiencing exactly? Perhaps sending an export of your configuration could be helpful.

You tried to filter against the "syslogpriority" property? Note that this property contains a number, perhaps filtering against "syslogpriority_text" may work better in your case?
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: How to use Set Status Action?

Postby rjcuk » Wed Oct 21, 2015 12:13 pm

Thanks for your reply,

The issue is, say for example, I have:
1. rule 1 - filter to match all events (just replace the AND with a TRUE), and an action to set a new status variable and value, e.g. 'custom_priority' with a number or text.
2. rule 2 - add an extended number property to a filter, for 'custom_priority' > e.g. 38. Or a normal non-number one with the text containing a string, set to the same string you had in the set status rule. add an action for this rule that you can identify after triggering e.g. forward syslog.

I find that rule 2 never matches. If I add a syslog forward rule, with a custom message or header, containing %custom_priority% in the actual header or message, then the text that was set in the Set Status action just is a blank string - it doesn't output anything for that variable. So I am thinking that the Set Status was never actually set at all.

Thanks for clarifying on the global variable part, i.e. they persist between events. Can I ask however, is the processing for rules done one event at a time, or are multiple done simultaneously? I was thinking that I could add a rule to reset the status variable at the start of the ruleset to a defined number.

As for the syslogpriority issue, it just seemed I wasn't patient enough in my syslog server catching up with the change to the configuration I made after applying it - it seems to work now. I wouldn't be able to use the syslogpriority_text, as it is automatically generated as the manual says, and I need to set a numerical value of a property/variable - I'm not using standard syslog priority text or numbers but keeping in the boundary of 30 - 50.

Sorry for the long message - I'm not able to provide you with my config file as it's on an isolated network and I can't get the files declassified.
rjcuk
New
 
Posts: 9
Joined: Tue Oct 06, 2015 4:51 pm

Re: How to use Set Status Action?

Postby alorbach » Thu Oct 22, 2015 7:00 am

It's currently not possible to print a status variable as a property, that's why they variable turns out blank in your custom message.
RuleSets/Rules/Actions are processed for each Event and Properties are bound to the current event only. Depending on the configured amount of workerthreads, they can be processed parallel. So if you set the workerthread count in "General->Queue Manager" to 1, it should to reset the status variable at the top of all Rules. Otherwise the status variable might get resetted while another event is being processed.

If you already have a license, you may contact support@adiscon.com for further help.

best regards,
Andre
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: How to use Set Status Action?

Postby rjcuk » Thu Oct 22, 2015 4:55 pm

Ah yes that makes sense! I didn't realise the status variables can't be printed, and only event properties can. Maybe the manual will need a slight update to make that a bit clearer about which filters and actions they do and don't work for.

Thanks for clarifying on the parallel bit too, that is good to know that there would be a way to use it and make it single threaded. I'm happy to use manually-edited event properties for the meantime but I'll contact the email you provided if I do hit further issues - I do have 2 licences (C** ** **D) which I'm using with the product so I'll let you know if I need any more help, thanks Andre.
rjcuk
New
 
Posts: 9
Joined: Tue Oct 06, 2015 4:51 pm

Google Ads



Return to Windows Agent

Who is online

Users browsing this forum: No registered users and 0 guests

cron