On Wed, Mar 20, 2013 at 10:44 AM, Rainer Gerhards
<[email protected]>wrote:
> On Tue, 2013-03-19 at 19:37 +0100, Philippe Muller wrote:
> > Hi,
> >
> > I try to get a coherent names for programs who send messages to rsyslog.
> > For most messages, $app-name or $programname do the job (I get $syslogtag
> > without the trailing "[pid]:").
> >
> > However, $app-name/$programname does not play well with some system
> > defaults.
> > For example, on RHEL6 servers, the cron "run-parts" script use
> parenthesis
> > and slashes in the tag.
> >
> > Using RSYSLOG_DebugFormat, here is what we get :
> > Debug line with all properties:
> > FROMHOST: 'client1', fromhost-ip: '42.0.0.1', HOSTNAME: 'client1', PRI:
> 77,
> > syslogtag 'run-parts(/etc/cron.hourly)[22434]:', programname:
> 'run-parts(',
> > APP-NAME: 'run-parts(', PROCID: '22434', MSGID: '-',
> > TIMESTAMP: 'Mar 19 17:01:01', STRUCTURED-DATA: '-',
> > msg: ' starting 0anacron'
> > escaped msg: ' starting 0anacron'
> > inputname: imuxsock rawmsg: '<77>Mar 19 17:01:01
> > run-parts(/etc/cron.hourly)[22434]: starting 0anacron'
> >
> > While both parenthesis and slashes are "forbidden" by RFC3164, one is
> > accepted and the other isn't.
> > Is there a motivation to allow one and not the other ?
> I just provided a longer answer to a similar question yesterday, you may
> want to check the archives. But the short answer is: heuristics based on
> what usually works in practice.
>
I read the thread. I'll try to read the code to get a better understanding
of the implementation.
> >
> > Here is my current workaround :
> > if $app-name == "run-parts(" then {
> > set $!app = field($syslogtag, 91, 1); # 91 = "["
> > } else {
> > set $!app = $app-name;
> > }
> >
> > It works, but it's ugly and I doubt it's performance-wise. ;-)
> >
> You could use field extraction directly inside the template. IMHO that
> should do the trick (but I did not try it out).
>
> Another option would probably be to add an rsyslog option to enable
> slashes inside program name (but I am not bold enough to simply add it
> without a config option, and make it "off" by default). I'll see if I
> can do this quickly as a side-activity.
>
Thanks. But there is no urgency for me. As I'll parse messages at the
source rather at the collector, I don't worry about the performance impact.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
