Thank you David. What would be the best way to circumvent this issue? I was thinking of replacing %app-name with something custom but this is the first time I've worked with rsyslog to this extent so I'm really at a loss here.
On Tue, Apr 2, 2013 at 3:12 PM, David Lang <[email protected]> wrote: > On Tue, 2 Apr 2013, Marcelo Veglienzone wrote: > > I have the following template so as to format syslog messages to >> logstash's >> json_event format but I find that %app-name is not able to parse certain >> paths >> >> $template ls_json,"{%timestamp:::date-**rfc3339,jsonf:@timestamp%,% >> source:::jsonf:@source_host%,\**"@source\":\"syslog://% >> fromhost-ip:::json%\",\"@**message\":\"%msg:::json%\",\"@ >> fields\":{%syslogfacility-**text:::jsonf:facility%,% >> syslogseverity-text:::jsonf:**severity%,%app-name:::jsonf: >> program%,%procid:::jsonf:**processid%}}" >> >> For instance the following log entry in a RHEL 5.4 machine: >> >> Apr 2 12:55:57 amxhp3 /project/admin/libexec/sudo.d/** >> Linux/x86_64/2.6/sudo: >> marcelo : TTY=pts/3 ; PWD=/login/marcelo ; USER=root ; COMMAND=/bin/su - >> >> Results in: >> Apr 2 12:55:57 amxhp3 marcelo : TTY=pts/3 ; PWD=/login/marcelo ; >> USER=root ; COMMAND=/bin/su - >> >> On some other cases %app-name is able to get the progname as sudo, >> removing >> the full path. >> >> Now I would like to get full paths when applicable instead of just the >> progname without the base name but I can live with just the progname as >> long as it shows up. >> >> Has anyone seen something like this before? Am I missing something ? >> > > I see two things > > 1. Per the RFC, the programname is limited to 32 characters, so when > rsyslog is parsing the input line, it's probably truncating things, but we > don't see that (you would see it in programname or syslog-tag > > 2. There is currently no protection preventing the application from > setting any variables it wants, so when the COMMAND= is in the line, that's > going to override the default detection > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
