Hi,
>>>
>>>> you can't modify any existing tags once the log is received, but you
>>>> could
>>>> change the sender to put a tag in the right place so that it will get
>>>> parsed by the central server as one of those tags.
>>>>
>>>>
>>> That's exactly what I am trying to do. Creating a tag from sender. I can
>>> create a template and put the text I want but I can't find through the
>>> docs
>>> how to extract this as a tag.
>>>
>>> I have something like this in my client: $template lala,"%syslogtag%
>>> HOST_ID %msg%"
>>>
>>> My problem is I would like to parse this HOST_ID as a tag but I couldn't
>>> find how so I am using a regular expression on the server to do this.
>>> This
>>> HOST_ID is always 01-(+7 alphanumeric characters).
>>>
>>> $Template Dyn_messages,
>>> "/var/log/%msg:R,ERE,0,DFLT:**01\-[0-9A-Z]{7}--end%/**messages"
>>>
>>> and I would like to replace for something like
>>>
>>> $Template Dyn_messages, "/var/log/%HOST_ID%/messages"
>>>
>>
>> right now you have two choices.
>>
>> 1. put the HOST_ID in place of the servername in your template so that it
>> gets parsed as %hostname%
>>
>
> Correct me if I am wrong. Do you mean I should change something like (in
> the client):
>
> $template hostID,"%TIMESTAMP% *%HOSTNAME%* %syslogtag%
> %syslogfacility-text% %syslogseverity% %msg%\n"
>
> to
>
> $template hostID,"%TIMESTAMP% *01-1V8IMU1* %syslogtag%
> %syslogfacility-text% %syslogseverity% %msg%\n" ?
>
> ...
>
> *.* :omrelp:127.0.0.1:20500;hostID
>
>
> and then, in the server, I will be able to replace the regular expression
>
> $Template Dyn_messages,
> "/var/log//xavi/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/messages"
>
> for
>
> $Template Dyn_messages, "/var/log/xavi/%HOSTNAME%/messages" ?
>
> I don't understand how rsyslog from server knows %HOSTNAME% is the tag I
> hardcoded in the client template.
>
> I might be missing something...
>
> Thanks,
> Xavi
>
>
Should be the solution something like this?
CLIENT:
$template hostID,"%TIMESTAMP% *HOST_ID=01-1V8IMU1* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n" ?
SERVER: write a rule like :msg contains HOST_ID .... ?
Thanks,
Xavi
>
>
>
>
>
>> 2. use version 6 with either the project lumberjack parsing of JSON
>> messages or the mmnormalize module to create custom tags.
>>
>>
>> how many different types of tags are you talking about here? is it a
>>>> handful (where you could create specific rules for each tag)? or are
>>>> there
>>>> a lot (where you really need to use the dynafile to create all the
>>>> destination directories)
>>>>
>>>>
>>> There will be a lot. This is a project for launching nodes in the cloud.
>>>
>>
>> In that case, you probably want to go with the version 6.3+ stuff that
>> lets you create custom tags by either parsing JSON formatted messages or
>> with the mmnormalize module
>>
>> David Lang
>>
>> Thanks a lot,
>>> Xavi
>>>
>>>
>>>
>>>> David Lang
>>>>
>>>> On Thu, 17 May 2012, Xavier Fustero wrote:
>>>>
>>>> Date: Thu, 17 May 2012 09:52:38 +0200
>>>>
>>>>> From: Xavier Fustero <[email protected]>
>>>>> Reply-To: rsyslog-users <[email protected]>
>>>>> To: [email protected]
>>>>> Subject: [rsyslog] Replacing regular expression for particular tag
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I want to ask what would be the best way to implement the following. I
>>>>> have
>>>>> a several nodes identified with a particular ID (e.g: 01-9291212,
>>>>> 01-823HHK1). Those servers send their logs to a central rsyslog server
>>>>> (RELP + stunnel). I want to create a directory entry on the server with
>>>>> this ID name. Like rsyslog-server:/var/logs/01-****9291212,
>>>>>
>>>>> /var/logs/01-823HHK1 and so on.
>>>>>
>>>>> My first attempt was to create a template on the client side and add
>>>>> this
>>>>> ID manually
>>>>>
>>>>> $template ID,"%TIMESTAMP% %HOSTNAME% %syslogtag% %syslogfacility-text%
>>>>> %syslogseverity-text% *ID: 01-XXXXXXX* %syslogtag% %msg%\n
>>>>>
>>>>> *.* :omrelp:127.0.0.1:port_number;****ID
>>>>>
>>>>>
>>>>> On the server side, I have created a regular expression to match a
>>>>> string
>>>>> like 01-([0-9A-Za-a]{7} (my ID's format) and created dynamic templates
>>>>> for
>>>>> each particular log: messages, maillog, cron, secure, etc.
>>>>>
>>>>> E.g.: $Template Dyn_messages,
>>>>> "/var/log/%msg:R,ERE,0,DFLT:****01\-[0-9A-Z]{7}--end%/****messages"
>>>>> $template
>>>>> Dyn_cron,"/var/log/%msg:R,ERE,****0,DFLT:01\-[0-9A-Z]{7}--end%**
>>>>> /**cron"
>>>>>
>>>>> ...
>>>>>
>>>>> I have a sequence of if/else where depending on facilities it sends to
>>>>> one
>>>>> or another dynamic template. However, I would like to replace regular
>>>>> expression for something like a %my_particular_tag%. I can't see the
>>>>> way I
>>>>> can create this particular tag. They seem to be hardcoded. I also try
>>>>> to
>>>>> modify property names (hostname,syslogtag,etc) and replace it for a
>>>>> completely new name (my ID) but I can't find how to do this.
>>>>> %propname:fromChar:toChar:****options:fieldname% doesn't seem to allow
>>>>>
>>>>> this.
>>>>>
>>>>> I would like to get ridd off regular expressions. They have an impact
>>>>> in
>>>>> performance and complicate my templates on the server side. They also
>>>>> created the directory **NO MATCH** which I would like to avoid. Using
>>>>> tags, templates on server side would be something like:
>>>>>
>>>>> $Template Dyn_messages, "/var/log/%mytag%/messages"
>>>>> ...
>>>>>
>>>>> Does anybody know how to do this?
>>>>>
>>>>> Thanks in advance,
>>>>> Xavi
>>>>> ______________________________****_________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>>> >
>>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>>> >
>>>>>
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>
>>>>> ______________________________****_________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> >
>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>> >
>>>>
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
