On Thu, 24 May 2012, Xavier Fustero wrote:
Hi,
you can't modify any existing tags once the log is received, but you
could
change the sender to put a tag in the right place so that it will get
parsed by the central server as one of those tags.
That's exactly what I am trying to do. Creating a tag from sender. I can
create a template and put the text I want but I can't find through the
docs
how to extract this as a tag.
I have something like this in my client: $template lala,"%syslogtag%
HOST_ID %msg%"
My problem is I would like to parse this HOST_ID as a tag but I couldn't
find how so I am using a regular expression on the server to do this.
This
HOST_ID is always 01-(+7 alphanumeric characters).
$Template Dyn_messages,
"/var/log/%msg:R,ERE,0,DFLT:**01\-[0-9A-Z]{7}--end%/**messages"
and I would like to replace for something like
$Template Dyn_messages, "/var/log/%HOST_ID%/messages"
right now you have two choices.
1. put the HOST_ID in place of the servername in your template so that it
gets parsed as %hostname%
Correct me if I am wrong. Do you mean I should change something like (in
the client):
$template hostID,"%TIMESTAMP% *%HOSTNAME%* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n"
to
$template hostID,"%TIMESTAMP% *01-1V8IMU1* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n" ?
...
*.* :omrelp:127.0.0.1:20500;hostID
and then, in the server, I will be able to replace the regular expression
$Template Dyn_messages,
"/var/log//xavi/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/messages"
for
$Template Dyn_messages, "/var/log/xavi/%HOSTNAME%/messages" ?
I don't understand how rsyslog from server knows %HOSTNAME% is the tag I
hardcoded in the client template.
I might be missing something...
Thanks,
Xavi
Should be the solution something like this?
CLIENT:
$template hostID,"%TIMESTAMP% *HOST_ID=01-1V8IMU1* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n" ?
SERVER: write a rule like :msg contains HOST_ID .... ?
no, this isn't the way to do it.
you are using characters in the hostname field that are not valid there (=
and possibly _) so this would be generating malformed messages.
I think that the current rsyslog message parser would put that in the
message on the server, but given that it's only trying to do it's best to
deal with something that's not formatted properly, this isn't a good thing
to rely on (some future version may deal with it in a slightly different
way, and since what you are sending isn't valid by any definition, there's
no way to have it tested)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
