API tools faq
paste
catkin

For rsyslog mailing list

catkin
Jul 8th, 2016
95
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.97 KB | None | 0 0
raw download clone embed print report
  1. Hello rsyslog mailing list :-)
  2.  
  3. The requirement is to re-format messages, replacing the FQDN with its first two elements (we have rsyslog clients with non-unique bare hostnames).
  4.  
  5. The clients are configured with "$PreserveFQDN on" so messages are received with FQDNs.
  6.  
  7. Here's what I tried. Sorry about any line breaks; the string= is on a single line as is the action(..)
  8.  
  9. template(name="MyMsgFormat" type="string"
  10. string="%TIMESTAMP:::date-rfc3339% %HOSTNAME:R:^[^.]*\.[^.]*:% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
  11. )
  12. ruleset(name="imudp"){
  13. action(type="omfile" dynaFile="PerHostPerDay" template="MyMsgFormat")
  14. }
  15. input(type="imudp" port="514" ruleset="imudp")
  16.  
  17. That resulted in error messages in the debug output:
  18.  
  19. Reading a token: 2722.117089031:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 63: invalid character '"' in object definition - is there an invalid escape sequence somewhere?
  20. rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 63: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
  21. 2722.117139352:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 63: invalid character '%' in object definition - is there an invalid escape sequence somewhere?
  22. rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 63: invalid character '%' in object definition - is there an invalid escape sequence somewhere? [v8.16.0 try http://www.rsyslog.com/e/2207 ]
  23. Next token is token NAME ()
  24. 2722.117155913:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 63: syntax error on token 'TIMESTAMP'
  25. rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 63: syntax error on token 'TIMESTAMP' [v8.16.0 try http://www.rsyslog.com/e/2207 ]
  26. Error: popping token '=' ()
  27.  
  28. I was not enlightened by http://www.rsyslog.com/e/2207
  29.  
  30. So I tried escaping the backslash: %HOSTNAME:R:^[^.]*\\.[^.]*:%
  31.  
  32. That resulted in different error messages in the debug output:
  33.  
  34. 1264.332444913:main thread : ruleset 'imudp' before optimization:
  35. 1264.332452525:main thread : ruleset 0x7fb8bc7a7c40: rsyslog ruleset imudp:
  36. 1264.332497162:main thread : NOP
  37. 1264.332504396:main thread : ruleset 0x7fb8bc7a7c40: ruleset imudp assigned parser list:
  38. 1264.332511511:main thread : optimizer error: we see a NOP, how come?
  39. 1264.332518265:main thread : ruleset 'imudp' after optimization:
  40. 1264.332524963:main thread : ruleset 0x7fb8bc7a7c40: rsyslog ruleset imudp:
  41. 1264.332570840:main thread : NOP
  42. 1264.332578172:main thread : ruleset 0x7fb8bc7a7c40: ruleset imudp assigned parser list:
  43. 1264.332585253:main thread : ruleset optimization phase finished
  44.  
  45. The framework is OK because %HOSTNAME:1:5:% does change messages' FQDNs to their first 5 characters.
  46.  
  47. What to do?
  48.  
  49. Best
  50.  
  51. Charles
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!