On Tue, 24 Apr 2012, Steven Willis wrote:
I'm having some trouble with templates and remote logging. When I add this to my conf:$template myFormat,"%timereported% hostname:{%hostname%} rawmsg:{%rawmsg%}\n" :msg,contains,"hadoop" :omrelp:kaptain:20514;myFormat & ~ Then I created a test log message with: $ logger -p daemon.info -t DataNode "hadoop hi" The message gets to the remote host, but the output in /var/log/syslog on that host is: Apr 24 15:59:22 172.29.208.56 hostname: {SWILLIS-E6320} rawmsg:{<30>Apr 24 15:59:22 DataNode: hadoop hi} Somehow, "hostname:" in my template is replaced with "172.29.208.56 hostname: ". I then tried the following in my conf: $template myFormat,"%timereported% hostname:{%hostname%} rawmsg:{%rawmsg%}\n" $template myFormat2,"%timereported% hostname{%hostname%} rawmsg:{%rawmsg%}\n" :msg,contains,"hadoop" :omrelp:kaptain:20514;myFormat :msg,contains,"hadoop" :omrelp:kaptain:20514;myFormat2 & ~ And the output in syslog is then: Apr 24 16:38:19 172.29.208.56 hostname: {SWILLIS-E6320} rawmsg:{<30>Apr 24 16:38:19 DataNode: hadoop hi} Apr 24 16:38:19 hostname{SWILLIS-E6320} rawmsg: {<30>Apr 24 16:38:19 DataNode: hadoop hi} So there seems to be a bug with having "hostname:" in the format, that isn't brought out with just "hostname".
I think you are forgetting about the format that the remote host is configured to log to disk with.
If it is logging with the traditional file format, what you show as being in the log would be correct.
remember that each instance of rsyslog has it's own templates for logs, you can't just change the template on the first system and expect systems downstream to use it.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
