I have the following template so as to format syslog messages to logstash's
json_event format but I find that %app-name is not able to parse certain
paths
$template ls_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%
source:::jsonf:@source_host%,\"@source\":\"syslog://%
fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@
fields\":{%syslogfacility-text:::jsonf:facility%,%
syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:
program%,%procid:::jsonf:processid%}}"
For instance the following log entry in a RHEL 5.4 machine:
Apr 2 12:55:57 amxhp3 /project/admin/libexec/sudo.d/Linux/x86_64/2.6/sudo:
marcelo : TTY=pts/3 ; PWD=/login/marcelo ; USER=root ; COMMAND=/bin/su -
Results in:
Apr 2 12:55:57 amxhp3 marcelo : TTY=pts/3 ; PWD=/login/marcelo ;
USER=root ; COMMAND=/bin/su -
On some other cases %app-name is able to get the progname as sudo, removing
the full path.
Now I would like to get full paths when applicable instead of just the
progname without the base name but I can live with just the progname as
long as it shows up.
Has anyone seen something like this before? Am I missing something ?
Thanks,
Marcelo Veglienzone
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
