On 04/23/2013 11:17 PM, Rainer Gerhards wrote:
On Tue, 2013-04-23 at 19:38 -0700, Erik Steffl wrote:
Just got the latest v7 rsyslog (from rsyslog ubuntu reepo) working so
trying to come up with simple config but it's hard to find documentation
and the examples are usually short fragments...
That's how the rsyslog doc works: the relevant statements are documented
at the relevant places. There are little generic sample scenarios. One
problem is that there are a myriad of different sample scenarios (each
one looking totally natuaral to whoever needs it...). As nobody so far
funded a tech writer, that's the way we can handle it.
So if you need to know about templates, look at the template doc, for
action go to the action doc, for modules go to their doc... and so on.
Here's what I have so far:
module(load="mmjsonparse")
module(load="omfwd")
template(
name="text"
type="list"
) {
constant(value="message-text:")
property(name="msg")
constant(value="\n")
}
template(
name="json"
type="list"
) {
constant(value="{\"@message\":\"")
property(name="msg" format="json")
constant(value="\"}\n")
}
local0.* action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
action(
type="omfwd"
target="flume.ylmmuy.com"
port="5140"
protocol="tcp"
template="json"
)
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
action(
type="omfwd"
target="some.hostname"
port="9999"
protocol="tcp"
template="text"
)
}
Questions:
- any suggestions/improvements? :-)
- property in template - I assume it can be any property (as listed
in old format) but what about the rest, e.g. what formats are available
(besides json)?
see template doc for parameters
ok, thanks,
btw found broken link on page
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/rsyslog_conf_basic_structure.html
which is
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset
(should have .html at the end)
- I saw an example Module (path="builtin:omfwd") at
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/omfwd.html but that
doesn't work (error during parsing file /etc/rsyslog.d/51-erik.conf, on
or before line 4: parameter 'path' not known -- typo in config file?),
is this obsolete syntax or... ?
thanks, that was a left-over of renamed parameter. it's actually load=,
I just changed it.
- do I need & ~ for messages to be stopped being processed like I see
in older examples?
if you want to stop processing, you absolutely need to discard them.
Which syntax you use depends on what you use. For example
if $msg contains "somewhat" then stop
will also work ("stop" seems more natural)
so my example above could be changed to comething like this:
local0.* action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
...
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
...
}
stop
Does that look right?
I also saw this style (at
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset.html):
if prifilt("mail.*") then {
/var/log/mail10516
stop
}
Does that mean that instead of local.* I could (should?) do:
if prifilt("local0.*") then {
action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
}
stop
}
thanks!
erik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
