Re: [rsyslog] How to get the app name (when it includes slashes) ?

Wed, 20 Mar 2013 02:44:17 -0700 

On Tue, 2013-03-19 at 19:37 +0100, Philippe Muller wrote:
> Hi,
> 
> I try to get a coherent names for programs who send messages to rsyslog.
> For most messages, $app-name or $programname do the job (I get $syslogtag
> without the trailing "[pid]:").
> 
> However, $app-name/$programname does not play well with some system
> defaults.
> For example, on RHEL6 servers, the cron "run-parts" script use parenthesis
> and slashes in the tag.
> 
> Using RSYSLOG_DebugFormat, here is what we get :
> Debug line with all properties:
> FROMHOST: 'client1', fromhost-ip: '42.0.0.1', HOSTNAME: 'client1', PRI: 77,
> syslogtag 'run-parts(/etc/cron.hourly)[22434]:', programname: 'run-parts(',
> APP-NAME: 'run-parts(', PROCID: '22434', MSGID: '-',
> TIMESTAMP: 'Mar 19 17:01:01', STRUCTURED-DATA: '-',
> msg: ' starting 0anacron'
> escaped msg: ' starting 0anacron'
> inputname: imuxsock rawmsg: '<77>Mar 19 17:01:01
> run-parts(/etc/cron.hourly)[22434]: starting 0anacron'
> 
> While both parenthesis and slashes are "forbidden" by RFC3164, one is
> accepted and the other isn't.
> Is there a motivation to allow one and not the other ?
I just provided a longer answer to a similar question yesterday, you may
want to check the archives. But the short answer is: heuristics based on
what usually works in practice.

> 
> Here is my current workaround :
> if $app-name == "run-parts(" then {
>     set $!app = field($syslogtag, 91, 1); # 91 = "["
> } else {
>     set $!app = $app-name;
> }
> 
> It works, but it's ugly and I doubt it's performance-wise. ;-)
> 
You could use field extraction directly inside the template. IMHO that
should do the trick (but I did not try it out).

Another option would probably be to add an rsyslog option to enable
slashes inside program name (but I am not bold enough to simply add it
without a config option, and make it "off" by default). I'll see if I
can do this quickly as a side-activity.

Rainer
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to