Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

RSYSLOG_DebugFormat with template / action

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: alorbach

Google Ads


RSYSLOG_DebugFormat with template / action

Postby alx » Thu Feb 15, 2018 11:51 am

Hi all,

I collect any logs but with a model I've a problem.

If I take the rsyslog documentation, possible logs format are :

A template that resembles traditional syslogd file output:
$template TraditionalFormat,”%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n”
A template that tells you a little more about the message:
$template precise,”%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, %syslogtag%,%msg%\n”
A template for RFC 3164 format:
$template RFC3164fmt,”<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%”
A template for the format traditonally used for user messages:
$template usermsg,” XXXX%syslogtag%%msg%\n\r”
And a template with the traditonal wall-message format:
$template wallmsg,”\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%
A template that can be used for the database write (please note the SQL template option)
$template MySQLInsert,”insert iut, message, receivedat values (‘%iut%’, ‘%msg:::UPPERCASE%’, ‘%timegenerated:::date-mysql%’) into systemevents\r\n”, SQL


Here I've this log :

Code: Select all
2018-02-15T08:41:50+01:00 [b]2018 [/b]<Hostname> %%10MSTP/1/PFWD(t):   Trap <OID>: Instance 0's Port 0.9437186 has been set to forwarding state!


I've try with succes to forward to the good file with the local facility.
But I want to forward to the file with hostname regex.

First question :

Code: Select all
template(name="template4" type="string" string="/logs/%$YEAR%/%$MONTH%/%HOSTNAME%/T4-%HOSTNAME%-%FROMHOST-IP%.log")

if $syslogfacility-text == 'local7' then {
                action(type="omfile" dynaFile="template4") stop }


With this configuration, how to use RSYSLOG_DebugFormat ?
Indeed I know this use case :

Code: Select all
*.* /var/log/filename;RSYSLOG_DebugFormat


But I try to use the debug format with other quote configuration.

Second question :

Is it exist a parameter to switch log fields automatically to have traditionnal output syslog ?

Note :

I've a another rule which filter the log by syslogtag regex (in this case, hostname value) with the configuration :

Code: Select all
:syslogtag, regex, "AX[a-zA-Z0-9]+\-[0-9]+\-[0-9]+" {
                action(type="omfile" dynaFile="template3") stop }


I see two issues :
- Hostname is not syslogtag field and in this case, I want to use RSYSLOG_DebugFormat to idenfy this;
- The rule not match : I try this regex with Python and Perl, and I've success tests (matching pattern)

And last question :

How can I change manually log fields to have my specific want fields order ?

Example :

- Raw log :

Code: Select all
2018-02-15T08:41:50+01:00 [b]2018 [/b]<Hostname> %%10MSTP/1/PFWD(t):   Trap <OID>: Instance 0's Port 0.9437186 has been set to forwarding state!


- Wanted log format :

Code: Select all
2018-02-15T08:41:50+01:00 [u]<Hostname>[/u] [b]2018 [/b]%%10MSTP/1/PFWD(t):   Trap <OID>: Instance 0's Port 0.9437186 has been set to forwarding state!


Thanks all !
alx
New
 
Posts: 1
Joined: Wed Feb 14, 2018 4:04 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron