I will take a look at that, thanks a lot !
On Tue, Apr 2, 2013 at 3:33 PM, David Lang <[email protected]> wrote: > The best way to troubleshoot this sort of thing is to configure something > to log with the format RSYSLOG_DebugFormat, that writes a long log line > that shows every variable that is parsed from the original log. You can > then look at that and decide which variable works best for your purposes. > > David Lang > > > On Tue, 2 Apr 2013, Marcelo Veglienzone wrote: > > Thank you David. >> >> What would be the best way to circumvent this issue? I was thinking of >> replacing %app-name with something custom but this is the first time I've >> worked with rsyslog to this extent so I'm really at a loss here. >> >> >> On Tue, Apr 2, 2013 at 3:12 PM, David Lang <[email protected]> wrote: >> >> On Tue, 2 Apr 2013, Marcelo Veglienzone wrote: >>> >>> I have the following template so as to format syslog messages to >>> >>>> logstash's >>>> json_event format but I find that %app-name is not able to parse certain >>>> paths >>>> >>>> $template ls_json,"{%timestamp:::date-****rfc3339,jsonf:@timestamp%,% >>>> source:::jsonf:@source_host%,\****"@source\":\"syslog://% >>>> fromhost-ip:::json%\",\"@****message\":\"%msg:::json%\",\"@ >>>> fields\":{%syslogfacility-****text:::jsonf:facility%,% >>>> syslogseverity-text:::jsonf:****severity%,%app-name:::jsonf: >>>> program%,%procid:::jsonf:****processid%}}" >>>> >>>> >>>> For instance the following log entry in a RHEL 5.4 machine: >>>> >>>> Apr 2 12:55:57 amxhp3 /project/admin/libexec/sudo.d/**** >>>> >>>> Linux/x86_64/2.6/sudo: >>>> marcelo : TTY=pts/3 ; PWD=/login/marcelo ; USER=root ; COMMAND=/bin/su - >>>> >>>> Results in: >>>> Apr 2 12:55:57 amxhp3 marcelo : TTY=pts/3 ; PWD=/login/marcelo ; >>>> USER=root ; COMMAND=/bin/su - >>>> >>>> On some other cases %app-name is able to get the progname as sudo, >>>> removing >>>> the full path. >>>> >>>> Now I would like to get full paths when applicable instead of just the >>>> progname without the base name but I can live with just the progname as >>>> long as it shows up. >>>> >>>> Has anyone seen something like this before? Am I missing something ? >>>> >>>> >>> I see two things >>> >>> 1. Per the RFC, the programname is limited to 32 characters, so when >>> rsyslog is parsing the input line, it's probably truncating things, but >>> we >>> don't see that (you would see it in programname or syslog-tag >>> >>> 2. There is currently no protection preventing the application from >>> setting any variables it wants, so when the COMMAND= is in the line, >>> that's >>> going to override the default detection >>> >>> David Lang >>> ______________________________****_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog> >>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> > >>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/> >>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/> >>> > >>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
