On Tue, 2 Apr 2013, Marcelo Veglienzone wrote:
I have the following template so as to format syslog messages to logstash's
json_event format but I find that %app-name is not able to parse certain
paths
$template ls_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%
source:::jsonf:@source_host%,\"@source\":\"syslog://%
fromhost-ip:::json%\",\"@message\":\"%msg:::json%\",\"@
fields\":{%syslogfacility-text:::jsonf:facility%,%
syslogseverity-text:::jsonf:severity%,%app-name:::jsonf:
program%,%procid:::jsonf:processid%}}"
For instance the following log entry in a RHEL 5.4 machine:
Apr 2 12:55:57 amxhp3 /project/admin/libexec/sudo.d/Linux/x86_64/2.6/sudo:
marcelo : TTY=pts/3 ; PWD=/login/marcelo ; USER=root ; COMMAND=/bin/su -
Results in:
Apr 2 12:55:57 amxhp3 marcelo : TTY=pts/3 ; PWD=/login/marcelo ;
USER=root ; COMMAND=/bin/su -
On some other cases %app-name is able to get the progname as sudo, removing
the full path.
Now I would like to get full paths when applicable instead of just the
progname without the base name but I can live with just the progname as
long as it shows up.
Has anyone seen something like this before? Am I missing something ?
I see two things
1. Per the RFC, the programname is limited to 32 characters, so when rsyslog is
parsing the input line, it's probably truncating things, but we don't see that
(you would see it in programname or syslog-tag
2. There is currently no protection preventing the application from setting any
variables it wants, so when the COMMAND= is in the line, that's going to
override the default detection
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
