I am receiving logs from a sender in CEF format delimited by the pipe character.
I need to output logs to folder structure by splitting each line by the pipe delimited and creating a folder structure such as "/var/log/field2/field3/logfile". Field 2 is vendor and field 3 is product (Example, Vendor: Cisco, Product: ASA). So I wrote this template: $template cefdynfile,"/var/log/cef/%msg:F,124:2:%/%msg:F,124:3%/logfile" However, what I am seeing is that the directories creates by this template include other fields that are part of the log message and aren't unique. I am sure the messages are coming in fine and not mangled because if I write a similar parser in syslog-ng (that I am trying to replace with rsyslog), the directory structure comes out clean. I suspect there is an issue with how rsyslog handles control characters and ascii codes. What would be the best way to split a log message by the pipe char and ensure sanity of the resulting token? I am running the stock rsyslog distributed with CentOS6 - 5.8.10-6. TIA. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
