The best way to troubleshoot this sort of thing is to configure something to log
with the format RSYSLOG_DebugFormat, that writes a long log line that shows
every variable that is parsed from the original log. You can then look at that
and decide which variable works best for your purposes.
David Lang
On Tue, 2 Apr 2013, Marcelo
Veglienzone wrote:
Thank you David.
What would be the best way to circumvent this issue? I was thinking of
replacing %app-name with something custom but this is the first time I've
worked with rsyslog to this extent so I'm really at a loss here.
On Tue, Apr 2, 2013 at 3:12 PM, David Lang <da...@lang.hm> wrote:
On Tue, 2 Apr 2013, Marcelo Veglienzone wrote:
I have the following template so as to format syslog messages to
logstash's
json_event format but I find that %app-name is not able to parse certain
paths
$template ls_json,"{%timestamp:::date-**rfc3339,jsonf:@timestamp%,%
source:::jsonf:@source_host%,\**"@source\":\"syslog://%
fromhost-ip:::json%\",\"@**message\":\"%msg:::json%\",\"@
fields\":{%syslogfacility-**text:::jsonf:facility%,%
syslogseverity-text:::jsonf:**severity%,%app-name:::jsonf:
program%,%procid:::jsonf:**processid%}}"
For instance the following log entry in a RHEL 5.4 machine:
Apr 2 12:55:57 amxhp3 /project/admin/libexec/sudo.d/**
Linux/x86_64/2.6/sudo:
marcelo : TTY=pts/3 ; PWD=/login/marcelo ; USER=root ; COMMAND=/bin/su -
Results in:
Apr 2 12:55:57 amxhp3 marcelo : TTY=pts/3 ; PWD=/login/marcelo ;
USER=root ; COMMAND=/bin/su -
On some other cases %app-name is able to get the progname as sudo,
removing
the full path.
Now I would like to get full paths when applicable instead of just the
progname without the base name but I can live with just the progname as
long as it shows up.
Has anyone seen something like this before? Am I missing something ?
I see two things
1. Per the RFC, the programname is limited to 32 characters, so when
rsyslog is parsing the input line, it's probably truncating things, but we
don't see that (you would see it in programname or syslog-tag
2. There is currently no protection preventing the application from
setting any variables it wants, so when the COMMAND= is in the line, that's
going to override the default detection
David Lang
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.