HI, Inline ...
On 23 May 2012 20:41, <[email protected]> wrote: > On Wed, 23 May 2012, Xavier Fustero wrote: > > Hi, >> >> On 17 May 2012 22:50, <[email protected]> wrote: >> >> There are some new features in version 6 that will allow you to create >>> your own tags (either the liblognorm stuff or the project lumberjack >>> stuff) >>> >>> >> thanks. I will check if it makes sense for us to move to version 6. >> >> >> >> >>> you can't modify any existing tags once the log is received, but you >>> could >>> change the sender to put a tag in the right place so that it will get >>> parsed by the central server as one of those tags. >>> >>> >> That's exactly what I am trying to do. Creating a tag from sender. I can >> create a template and put the text I want but I can't find through the >> docs >> how to extract this as a tag. >> >> I have something like this in my client: $template lala,"%syslogtag% >> HOST_ID %msg%" >> >> My problem is I would like to parse this HOST_ID as a tag but I couldn't >> find how so I am using a regular expression on the server to do this. >> This >> HOST_ID is always 01-(+7 alphanumeric characters). >> >> $Template Dyn_messages, >> "/var/log/%msg:R,ERE,0,DFLT:**01\-[0-9A-Z]{7}--end%/**messages" >> >> and I would like to replace for something like >> >> $Template Dyn_messages, "/var/log/%HOST_ID%/messages" >> > > right now you have two choices. > > 1. put the HOST_ID in place of the servername in your template so that it > gets parsed as %hostname% > Correct me if I am wrong. Do you mean I should change something like (in the client): $template hostID,"%TIMESTAMP% *%HOSTNAME%* %syslogtag% %syslogfacility-text% %syslogseverity% %msg%\n" to $template hostID,"%TIMESTAMP% *01-1V8IMU1* %syslogtag% %syslogfacility-text% %syslogseverity% %msg%\n" ? ... *.* :omrelp:127.0.0.1:20500;hostID and then, in the server, I will be able to replace the regular expression $Template Dyn_messages, "/var/log//xavi/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/messages" for $Template Dyn_messages, "/var/log/xavi/%HOSTNAME%/messages" ? I don't understand how rsyslog from server knows %HOSTNAME% is the tag I hardcoded in the client template. I might be missing something... Thanks, Xavi > 2. use version 6 with either the project lumberjack parsing of JSON > messages or the mmnormalize module to create custom tags. > > > how many different types of tags are you talking about here? is it a >>> handful (where you could create specific rules for each tag)? or are >>> there >>> a lot (where you really need to use the dynafile to create all the >>> destination directories) >>> >>> >> There will be a lot. This is a project for launching nodes in the cloud. >> > > In that case, you probably want to go with the version 6.3+ stuff that > lets you create custom tags by either parsing JSON formatted messages or > with the mmnormalize module > > David Lang > > Thanks a lot, >> Xavi >> >> >> >>> David Lang >>> >>> On Thu, 17 May 2012, Xavier Fustero wrote: >>> >>> Date: Thu, 17 May 2012 09:52:38 +0200 >>> >>>> From: Xavier Fustero <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: [email protected] >>>> Subject: [rsyslog] Replacing regular expression for particular tag >>>> >>>> >>>> Hi, >>>> >>>> I want to ask what would be the best way to implement the following. I >>>> have >>>> a several nodes identified with a particular ID (e.g: 01-9291212, >>>> 01-823HHK1). Those servers send their logs to a central rsyslog server >>>> (RELP + stunnel). I want to create a directory entry on the server with >>>> this ID name. Like rsyslog-server:/var/logs/01-****9291212, >>>> >>>> /var/logs/01-823HHK1 and so on. >>>> >>>> My first attempt was to create a template on the client side and add >>>> this >>>> ID manually >>>> >>>> $template ID,"%TIMESTAMP% %HOSTNAME% %syslogtag% %syslogfacility-text% >>>> %syslogseverity-text% *ID: 01-XXXXXXX* %syslogtag% %msg%\n >>>> >>>> *.* :omrelp:127.0.0.1:port_number;****ID >>>> >>>> >>>> On the server side, I have created a regular expression to match a >>>> string >>>> like 01-([0-9A-Za-a]{7} (my ID's format) and created dynamic templates >>>> for >>>> each particular log: messages, maillog, cron, secure, etc. >>>> >>>> E.g.: $Template Dyn_messages, >>>> "/var/log/%msg:R,ERE,0,DFLT:****01\-[0-9A-Z]{7}--end%/****messages" >>>> $template >>>> Dyn_cron,"/var/log/%msg:R,ERE,****0,DFLT:01\-[0-9A-Z]{7}--end%** >>>> /**cron" >>>> >>>> ... >>>> >>>> I have a sequence of if/else where depending on facilities it sends to >>>> one >>>> or another dynamic template. However, I would like to replace regular >>>> expression for something like a %my_particular_tag%. I can't see the >>>> way I >>>> can create this particular tag. They seem to be hardcoded. I also try to >>>> modify property names (hostname,syslogtag,etc) and replace it for a >>>> completely new name (my ID) but I can't find how to do this. >>>> %propname:fromChar:toChar:****options:fieldname% doesn't seem to allow >>>> >>>> this. >>>> >>>> I would like to get ridd off regular expressions. They have an impact in >>>> performance and complicate my templates on the server side. They also >>>> created the directory **NO MATCH** which I would like to avoid. Using >>>> tags, templates on server side would be something like: >>>> >>>> $Template Dyn_messages, "/var/log/%mytag%/messages" >>>> ... >>>> >>>> Does anybody know how to do this? >>>> >>>> Thanks in advance, >>>> Xavi >>>> ______________________________****_________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog> >>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>>> > >>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/> >>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/> >>>> > >>>> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> >>>> ______________________________****_________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog> >>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> > >>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/> >>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/> >>> > >>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
