On 04/25/2013 01:00 AM, Rainer Gerhards wrote:
On Wed, 2013-04-24 at 19:37 -0700, Erik Steffl wrote:
On 04/23/2013 11:17 PM, Rainer Gerhards wrote:
On Tue, 2013-04-23 at 19:38 -0700, Erik Steffl wrote:
Just got the latest v7 rsyslog (from rsyslog ubuntu reepo) working so
trying to come up with simple config but it's hard to find documentation
and the examples are usually short fragments...
That's how the rsyslog doc works: the relevant statements are documented
at the relevant places. There are little generic sample scenarios. One
problem is that there are a myriad of different sample scenarios (each
one looking totally natuaral to whoever needs it...). As nobody so far
funded a tech writer, that's the way we can handle it.
So if you need to know about templates, look at the template doc, for
action go to the action doc, for modules go to their doc... and so on.
Here's what I have so far:
module(load="mmjsonparse")
module(load="omfwd")
template(
name="text"
type="list"
) {
constant(value="message-text:")
property(name="msg")
constant(value="\n")
}
template(
name="json"
type="list"
) {
constant(value="{\"@message\":\"")
property(name="msg" format="json")
constant(value="\"}\n")
}
local0.* action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
action(
type="omfwd"
target="flume.ylmmuy.com"
port="5140"
protocol="tcp"
template="json"
)
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
action(
type="omfwd"
target="some.hostname"
port="9999"
protocol="tcp"
template="text"
)
}
Questions:
- any suggestions/improvements? :-)
- property in template - I assume it can be any property (as listed
in old format) but what about the rest, e.g. what formats are available
(besides json)?
see template doc for parameters
ok, thanks,
btw found broken link on page
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/rsyslog_conf_basic_structure.html
which is
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset
(should have .html at the end)
thx, fixed in repo (not yet on the page, currently have no access to
there).
- I saw an example Module (path="builtin:omfwd") at
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/omfwd.html but that
doesn't work (error during parsing file /etc/rsyslog.d/51-erik.conf, on
or before line 4: parameter 'path' not known -- typo in config file?),
is this obsolete syntax or... ?
thanks, that was a left-over of renamed parameter. it's actually load=,
I just changed it.
- do I need & ~ for messages to be stopped being processed like I see
in older examples?
if you want to stop processing, you absolutely need to discard them.
Which syntax you use depends on what you use. For example
if $msg contains "somewhat" then stop
will also work ("stop" seems more natural)
so my example above could be changed to comething like this:
local0.* action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
...
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
...
}
stop
This would stop processing irrelevant of the filters. Is that what you
oh, so thse two are not the same:
local0.* something
& ~
local0.* something
stop
i.e. stop is not for previous match (local0.*) only?
want? If not, you need to include the "stop" at an appropriate place
inside one of the then... else ... blocks.
Does that look right?
I also saw this style (at
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/multi_ruleset.html):
if prifilt("mail.*") then {
/var/log/mail10516
stop
}
Does that mean that instead of local.* I could
could: yes
should: no - do as you like (actually the optimizer creates the same
internal representation out of it).
This function makes it easier to include such conditions in more complex
boolean expressions.
(should?) do:
if prifilt("local0.*") then {
action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
}
stop
}
yup - I now also probably see what you inteded with the example above. I
guess this is what you meant:
local0.* { action(type="mmjsonparse")
if $parsesuccess == "OK" then {
action(type="omfile" file="/var/log/erikTest.log" template="json")
...
} else {
action(type="omfile" file="/var/log/erikTest.log" template="text")
...
}
stop
}
I think that's what I meant, but is there any difference in my
version with prifilt above and your version that uses local0.* {...}?
Is local.* { ... stop } replacement for old style config like this:
local.* something
& something else
& and more
$ ~ (discard message)
?
thanks!
erik
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
