Hi Radu, thanks for replying.
Option 1 doesn't suitable for me as the strings will have different length. Regarding option 2 (regular expressions) I tested it and I could use it to create dynamic files like I am doing currently using msg:F,58:1. However, I can't see how to use it to remove *mydirectory* string from the original message sent by my clients and write this modified message to the log file. Option 3 I should upgrade my current rsyslog version. It is planned in very close future sprints. Looked at it quickly but not sure 100% if it enables me to do this. I have read that version 7 offers structured logs. Does anyone know if this enables you to remove some pieces of the original message like the one I want to? If so, is there any good example? Thanks a log, Xavi On 14 January 2013 22:05, Radu Gheorghe <[email protected]> wrote: > Hi Xavier, > > I see 3 possible options here: > 1. Use FromChar from Property Replacer: > http://www.rsyslog.com/doc/property_replacer.html > > But this assumes that your "mydirectory" string has a fixed length, > otherwise your messages would be cut unevenly. > > 2. Use regular expressions (same Property Replacer link should give an > idea) > > Besides it being slow, I'm not sure if it will actually work. AFAIK > rsyslog's regexps don't get the lazy (?) quantifier. > > 3. Use mmnormalize to parse your logs and print out the fields you need. I > haven't used this myself but I think it should work. Here are some > resources: > http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/ > http://www.liblognorm.com/help/creating-a-rulebase/ > > Best regards, > Radu > > > 2013/1/14 Xavier Fustero <[email protected]> > > > Hi all, > > > > I would like to ask if anyone can help me on getting this fixed. > > > > I have several clients sending logs to a central rsyslog server. These > > clients add a tag called *mydirectory* which is different according the > > client. Later on the server extracts this tag to create a dynamic log > file > > on its side. > > > > Client: > > $template GroupApp,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > > %syslogtag% > > *mydirectory*:%msg%\n" > > local0,local1.* :omrelp:*rsyslog_server*:*myport*;GroupApp > > > > Server: > > # Dynamic template for groupping applications under its mydirectory > > $template Dyn_AppLogs, "/my_logs/%msg:F,58:1:%/%APP-NAME%.log" > > > > This %msg:F,58:1:% seems to be working fine and I get the expected > > directories created like: > > > > /my_logs/mydirectory1/lala.log > > /my_logs/mydirectory2/lele.log > > > > My problem is that I also log mydirectory1,2 in the logs. It is not a big > > deal but I would like to get rid of this. Can't find the way to remove it > > from the message. > > > > Thanks a log, > > Xavi > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
