On Wed, 2013-04-24 at 19:37 -0700, Erik Steffl wrote:
> On 04/23/2013 11:17 PM, Rainer Gerhards wrote:
> > On Tue, 2013-04-23 at 19:38 -0700, Erik Steffl wrote:
> >> Just got the latest v7 rsyslog (from rsyslog ubuntu reepo) working so
> >> trying to come up with simple config but it's hard to find documentation
> >> and the examples are usually short fragments...
> >>
> > That's how the rsyslog doc works: the relevant statements are documented
> > at the relevant places. There are little generic sample scenarios. One
> > problem is that there are a myriad of different sample scenarios (each
> > one looking totally natuaral to whoever needs it...). As nobody so far
> > funded a tech writer, that's the way we can handle it.
> >
> > So if you need to know about templates, look at the template doc, for
> > action go to the action doc, for modules go to their doc... and so on.
> >> Here's what I have so far:
> >>
> >> module(load="mmjsonparse")
> >> module(load="omfwd")
> >>
> >> template(
> >> name="text"
> >> type="list"
> >> ) {
> >> constant(value="message-text:")
> >> property(name="msg")
> >> constant(value="\n")
> >> }
> >>
> >> template(
> >> name="json"
> >> type="list"
> >> ) {
> >> constant(value="{\"@message\":\"")
> >> property(name="msg" format="json")
> >> constant(value="\"}\n")
> >> }
> >>
> >> local0.* action(type="mmjsonparse")
> >> if $parsesuccess == "OK" then {
> >> action(type="omfile" file="/var/log/erikTest.log" template="json")
> >> action(
> >> type="omfwd"
> >> target="flume.ylmmuy.com"
> >> port="5140"
> >> protocol="tcp"
> >> template="json"
> >> )
> >> } else {
> >> action(type="omfile" file="/var/log/erikTest.log" template="text")
> >> action(
> >> type="omfwd"
> >> target="some.hostname"
> >> port="9999"
> >> protocol="tcp"
> >> template="text"
> >> )
> >> }
> >>
> >> Questions:
> >>
> >> - any suggestions/improvements? :-)
> >>
> >> - property in template - I assume it can be any property (as listed
> >> in old format) but what about the rest, e.g. what formats are available
> >> (besides json)?
> > see template doc for parameters
>
> ok, thanks,
>
> btw found broken link on page
> http://www.rsyslog.com/doc/rsyslog_conf_modules.html/rsyslog_conf_basic_structure.html
>
> which is
> http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset
> (should have .html at the end)
>
thx, fixed in repo (not yet on the page, currently have no access to
there).
> >> - I saw an example Module (path="builtin:omfwd") at
> >> http://www.rsyslog.com/doc/rsyslog_conf_modules.html/omfwd.html but that
> >> doesn't work (error during parsing file /etc/rsyslog.d/51-erik.conf, on
> >> or before line 4: parameter 'path' not known -- typo in config file?),
> >> is this obsolete syntax or... ?
> > thanks, that was a left-over of renamed parameter. it's actually load=,
> > I just changed it.
> >>
> >> - do I need & ~ for messages to be stopped being processed like I see
> >> in older examples?
> > if you want to stop processing, you absolutely need to discard them.
> > Which syntax you use depends on what you use. For example
> >
> > if $msg contains "somewhat" then stop
> > will also work ("stop" seems more natural)
>
> so my example above could be changed to comething like this:
>
> local0.* action(type="mmjsonparse")
> if $parsesuccess == "OK" then {
> action(type="omfile" file="/var/log/erikTest.log" template="json")
> ...
> } else {
> action(type="omfile" file="/var/log/erikTest.log" template="text")
> ...
> }
> stop
This would stop processing irrelevant of the filters. Is that what you
want? If not, you need to include the "stop" at an appropriate place
inside one of the then... else ... blocks.
>
> Does that look right?
>
> I also saw this style (at
> http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset.html):
>
> if prifilt("mail.*") then {
> /var/log/mail10516
> stop
> }
>
> Does that mean that instead of local.* I could
could: yes
should: no - do as you like (actually the optimizer creates the same
internal representation out of it).
This function makes it easier to include such conditions in more complex
boolean expressions.
> (should?) do:
>
> if prifilt("local0.*") then {
> action(type="mmjsonparse")
> if $parsesuccess == "OK" then {
> action(type="omfile" file="/var/log/erikTest.log" template="json")
> } else {
> action(type="omfile" file="/var/log/erikTest.log" template="text")
> }
> stop
> }
>
yup - I now also probably see what you inteded with the example above. I
guess this is what you meant:
local0.* { action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
...
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
...
}
stop
}
HTH
Rainer
> thanks!
>
> erik
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
