Hi,
I want to ask what would be the best way to implement the following. I have
a several nodes identified with a particular ID (e.g: 01-9291212,
01-823HHK1). Those servers send their logs to a central rsyslog server
(RELP + stunnel). I want to create a directory entry on the server with
this ID name. Like rsyslog-server:/var/logs/01-9291212,
/var/logs/01-823HHK1 and so on.
My first attempt was to create a template on the client side and add this
ID manually
$template ID,"%TIMESTAMP% %HOSTNAME% %syslogtag% %syslogfacility-text%
%syslogseverity-text% *ID: 01-XXXXXXX* %syslogtag% %msg%\n
*.* :omrelp:127.0.0.1:port_number;ID
On the server side, I have created a regular expression to match a string
like 01-([0-9A-Za-a]{7} (my ID's format) and created dynamic templates for
each particular log: messages, maillog, cron, secure, etc.
E.g.: $Template Dyn_messages,
"/var/log/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/messages"
$template
Dyn_cron,"/var/log/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/cron"
...
I have a sequence of if/else where depending on facilities it sends to one
or another dynamic template. However, I would like to replace regular
expression for something like a %my_particular_tag%. I can't see the way I
can create this particular tag. They seem to be hardcoded. I also try to
modify property names (hostname,syslogtag,etc) and replace it for a
completely new name (my ID) but I can't find how to do this.
%propname:fromChar:toChar:options:fieldname% doesn't seem to allow this.
I would like to get ridd off regular expressions. They have an impact in
performance and complicate my templates on the server side. They also
created the directory **NO MATCH** which I would like to avoid. Using
tags, templates on server side would be something like:
$Template Dyn_messages, "/var/log/%mytag%/messages"
...
Does anybody know how to do this?
Thanks in advance,
Xavi
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
