That's great. I'll test it ASAP. :-) Philippe Muller
On Thu, Apr 4, 2013 at 10:12 AM, Rainer Gerhards <[email protected]>wrote: > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Rainer Gerhards > > Sent: Thursday, April 04, 2013 9:48 AM > > To: Philippe Muller > > Cc: rsyslog-users ([email protected]) > > Subject: Re: [rsyslog] Need help to understand RainerScript behavior > (rsyslog > > 7.2.6) > > > > Quick update: I have this in lab now. I can confirm the problem in > 7.2.6, but it > > seems to be gone in master branch (7.3.9+). Now need to dig down what's > > going on. > > Yup, I accidently fixed the problem in 7.3 only. Here is the backport: > > > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=cbf0ed9541fee2a480dda3533d1604a9df4ae9bb > > I'll release this with 7.2.7, hopefully very soon (there is another issue > open that I would like to roll into the 7.2.7 release, otherwise I had > released today). > > Philippe, if you have time to try out the patch, that would be great (but > fully understandable if not;)). It worked in my lab with your config. > > Rainer > > > > Rainer > > > > > -----Original Message----- > > > From: Philippe Muller [mailto:[email protected]] > > > Sent: Friday, March 29, 2013 11:40 AM > > > To: Rainer Gerhards; rsyslog-users > > > Subject: Re: [rsyslog] Need help to understand RainerScript behavior > > > (rsyslog > > > 7.2.6) > > > > > > Not sure is it is related : > > > > > > > > > I tried this configuration : > > > --- > > > if $app-name startswith "FOO-" then { > > > set $!appname_starts_with_FOO = 1; > > > > > > if re_match($app-name, '^FOO-[^-]+-([012])$') then { > > > set $!appname_matches_regexp = 1; > > > > > > if field($app-name, 45, 2) == "BAR" then { > > > set $!appname_2nd_field_is_BAR = 1; > > > } else { > > > set $!appname_2nd_field_isnt_BAR = 1; > > > } > > > } else { > > > set $!appname_doesnt_match_regexp = 1; > > > } > > > } else { > > > set $!appname_doesnt_starts_with_FOO = 1; } > > > --- > > > > > > > > > Here is the rsyslog startup message : > > > app-name: "rsyslogd", msg: " [origin software="rsyslogd" > > swVersion="7.2.6" > > > x-pid="28469" x-info="http://www.rsyslog.com";] start", json: { > > > "appname_2nd_field_isnt_BAR": 1, "appname_doesnt_match_regexp": 1, > > > "appname_doesnt_starts_with_FOO": 1 } > > > > > > => This message should only have "appname_doesnt_starts_with_FOO" ; > > > why are tests inside "if $app-name startswith ..." evaluated ? > > > > > > Message : logger -t foo test foo > > > > > > Result : app-name: "foo", msg: " test foo", json: { > > > "appname_2nd_field_isnt_BAR": 1, "appname_doesnt_match_regexp": 1, > > > "appname_doesnt_starts_with_FOO": 1 } => This message should only > > have > > > "appname_doesnt_starts_with_FOO" > > > > > > > > > Message : logger -t FOO-bar test foo > > > > > > Result : app-name: "FOO-bar", msg: " test foo", json: { > > > "appname_starts_with_FOO": 1, "appname_2nd_field_isnt_BAR": 1, > > > "appname_doesnt_match_regexp": 1 } > > > > > > => Should only have "appname_starts_with_FOO" and > > > "appname_doesnt_match_regexp" > > > > > > > > > Message : logger -t FOO-BAR test foo > > > > > > Result : app-name: "FOO-BAR", msg: " test foo", json: { > > > "appname_starts_with_FOO": 1, "appname_2nd_field_isnt_BAR": 1, > > > "appname_doesnt_match_regexp": 1 } > > > > > > => Should only have "appname_starts_with_FOO" and > > > "appname_doesnt_match_regexp" > > > > > > > > > Message : logger -t FOO-BAR-0 test foo > > > > > > Result : app-name: "FOO-BAR-0", msg: " test foo", json: { > > > "appname_starts_with_FOO": 1, "appname_matches_regexp": 1, > > > "appname_2nd_field_is_BAR": 1 } > > > > > > => Works as expected > > > > > > > > > > > > > > > > > > > > > Philippe Muller > > > > > > > > > On Thu, Mar 28, 2013 at 11:12 PM, Philippe Muller > > > <[email protected]> wrote: > > > > > > > > > Here is the full debug log : http://pastebin.com/SMtnZNuL > > > > > > > > > > > > > > > > > > Philippe Muller > > > > > > > > > On Thu, Mar 28, 2013 at 10:57 PM, Rainer Gerhards > > > <[email protected]> wrote: > > > > > > > > > No, should work. Debug log? > > > > > > > > > Sent from phone, thus brief. > > > > > > > > > > > > -------- Ursprüngliche Nachricht -------- > > > Von: Philippe Muller <[email protected]> > > > Datum: 28.03.2013 22:53 (GMT+01:00) > > > An: rsyslog-users <[email protected]> > > > Betreff: Re: [rsyslog] Need help to understand RainerScript > > behavior > > > (rsyslog 7.2.6) > > > > > > > > > > > > I guess using set-able variables in if-statement is not > > supported. > > > Rainer : can you confirm that ? > > > > > > Philippe Muller > > > > > > > > > On Thu, Mar 28, 2013 at 7:18 PM, Philippe Muller > > > <[email protected]>wrote: > > > > > > > Hi rsyslog users, > > > > > > > > I try to define a scheme which gives users a way to > chose if > > > messages > > > > should be written on their server filesystem and if they > > should be > > > > forwarded to syslog collectors. > > > > > > > > Here is my test configuration : > > > > --- > > > > module(load="imuxsock") > > > > > > > > # Default: All messages should be written locally > > > > set $!rsyslog_write = 1; > > > > # Default: All messages should be forwarded to collectors > > > > set $!rsyslog_forward = 1; > > > > > > > > # When a message with the custom tag is matched, > > > > # extract write and forwarding information. > > > > # > > > > # Tag syntax: FOO-appName-flag > > > > # > > > > # Flag values: > > > > # - 0: drop message > > > > # - 1: don't write message > > > > # - 2: don't forward message > > > > # - 3: write and forward message (default) > > > > # > > > > if re_match($app-name, "^FOO-[^-]+-([0123])") then { > > > > set $!rsyslog_flag = cnum(field($app-name, 45, 3)); > > > > if $!rsyslog_flag == 0 then { > > > > unset $!rsyslog_write; > > > > unset $!rsyslog_forward; > > > > } else if $!rsyslog_flag == 1 then { > > > > unset $!rsyslog_write; > > > > } else if $!rsyslog_flag == 2 then { > > > > unset $!rsyslog_forward; > > > > } > > > > } > > > > > > > > # Write all messages for debugging > > > > template(name="cee-debug" type="string" string="msg: > > > \"%msg%\", json: > > > > %$!all-json%\n") > > > > action(name="cee-debug" type="omfile" file="/tmp/cee- > > debug" > > > > template="cee-debug") > > > > --- > > > > > > > > And that's how I tested it : > > > > # logger -t FOO-bar-0 test-0 > > > > # logger -t FOO-bar-1 test-1 > > > > # logger -t FOO-bar-2 test-2 > > > > # logger -t FOO-bar-3 test-3 > > > > # cat /tmp/cee-debug > > > > msg: " test-0", json: { "rsyslog_write": 1, > "rsyslog_forward": > > > 1, > > > > "rsyslog_flag": 0 } > > > > msg: " test-1", json: { "rsyslog_write": 1, > "rsyslog_forward": > > > 1, > > > > "rsyslog_flag": 1 } > > > > msg: " test-2", json: { "rsyslog_write": 1, > "rsyslog_forward": > > > 1, > > > > "rsyslog_flag": 2 } > > > > msg: " test-3", json: { "rsyslog_write": 1, > "rsyslog_forward": > > > 1, > > > > "rsyslog_flag": 3 } > > > > > > > > > > > > Messages are matched by re_match(), $!rsyslog_flag is > well > > > extracted from > > > > the tag, but none of the tests on $!rsyslog_flag seem to > be > > > evaluated > > > > successfully. > > > > I tested the same config without cnum() + testing > > $!rsyslog_flag > > > with > > > > strings => same results. > > > > > > > > Is there something I'm missing regarding nested if > > statements ? > > > > If that's the expected behavior, I would be grateful for > > > clarification. :-) > > > > > > > > > > > > Regards, > > > > > > > > Philippe Muller > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow > https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are > ARCHIVED > > by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST > > > if you DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow > https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are > ARCHIVED > > by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST > > > if you DON'T LIKE THAT. > > > > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond > > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
