Re: [rsyslog] help with rule + using multiple templates

Tue, 18 Feb 2014 17:12:16 -0800 

On Fri, 14 Feb 2014, Rune Elvemo wrote:


First: I have problem with a rule for a log line from postfix
An example of a log line:
Feb 12 10:39:01 bp-mta06 postfix/local[4369]: 8ACC51001F0: to=<[email protected]>, orig_to=<root>, relay=local, delay=0.06, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) 

This is the filter I've written, but it doesn't work:
prefix=%date:date-rfc3164% %hostname:word%


rule=to: postfix/local[%notused:number%]: %mailid:char-to:\x3a%: 
to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word% 
delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word% 
status=%status:word% %2notused3:char-to:)%)


What is causing the problem is this: '%mailid:char-to:\x3a%:'

If I replace it with ''%mailid:word%' I get all the fields I want, but I do 
not want the ':' in the mailid field.



what version of rsyslog are you running? there have been significant 
improvements in mmnormalize recently.


What do you get with the config '%mailid:char-to:\x3a%:' ?


Second:

The log data will be stored in a mysql database, with multiple tables (mail, 
router, etc.).



In order to do that I need several templates with different insert 
statements. One for each table.



I've looked at this page: 
http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/,

and it has one rule without a name, and a single $template line.


It seems like there is no 'rule' option (man page rsyslog.conf(5)) for a 
'$template' line. Is this correct? If so, how am I going to use several 
insert

statements?



you create a tempate for each different type of insert (or with v7 you can use a 
variable in the template that you fill with the appropriate value) and then have 
several action statements, each using a different template.


David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to