Awesome thanks David! The only thing is that when I use %TIMESTAMP% it looks like this:
May 2 16:17:24 192.168.5.153 : May 2 16:17:24 192.168.5.154 : I was looking for how to make it look like this: 2014-05-02T16:11:58.003716-04:00 2014-05-02T16:11:58.007823-04:00 Is there someplace on the documentation that shows that? Thanks Robert On Fri, May 2, 2014 at 2:49 PM, David Lang <[email protected]> wrote: > that looks about right. > > > David Lang > > On Fri, 2 May 2014, robert s wrote: > >> Thanks David, >> >> So something like this?: >> >> template(name="FileFormat" type="string" >> string= "%TIMESTAMP% %FROMHOST-IP% >> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" >> ) >> >> >> >> Robert >> >> >> On Fri, May 2, 2014 at 1:49 PM, David Lang <[email protected]> wrote: >>> >>> Ok, this looks like you just need to make a new template that uses >>> %fromhost-ip% instead of %hostname% >>> >>> David Lang >>> >>> On Fri, 2 May 2014, robert s wrote: >>> >>>> Date: Fri, 2 May 2014 12:13:21 -0400 >>>> From: robert s <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: rsyslog-users <[email protected]> >>>> Subject: Re: [rsyslog] log output >>>> >>>> >>>> Thanks Rainer, >>>> >>>> using this filter: >>>> >>>> :fromhost, contains, "ldblzr" { >>>> action (type="omfile" >>>> template="RSYSLOG_DebugFormat"name="load" >>>> File="/var/log/swtichlog" >>>> ) >>>> stop >>>> } >>>> >>>> >>>> I get the following output: >>>> >>>> >>>> Debug line with all properties: >>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>> 'switch1.ldblzr', PRI: 189, >>>> syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', >>>> TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-', >>>> msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >>>> Ethernet124/1/16 is up in mode access' >>>> escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >>>> Ethernet124/1/16 is up in mode access' >>>> inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT: >>>> %ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access' >>>> $!: >>>> $.: >>>> $/: >>>> >>>> Debug line with all properties: >>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>> 'switch1.ldblzr', PRI: 189, >>>> syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235', >>>> PROCID: '-', MSGID: '-', >>>> TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-', >>>> msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >>>> Interface GigabitEthernet0/11, changed state to down' >>>> escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line >>>> protocol on Interface GigabitEthernet0/11, changed state to down' >>>> inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT: >>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >>>> changed state to down' >>>> $!: >>>> $.: >>>> $/: >>>> >>>> Debug line with all properties: >>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>> 'switch1.ldblzr', PRI: 189, >>>> syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236', >>>> PROCID: '-', MSGID: '-', >>>> TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-', >>>> msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >>>> Interface GigabitEthernet0/11, changed state to up' >>>> escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line >>>> protocol on Interface GigabitEthernet0/11, changed state to up' >>>> inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT: >>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >>>> changed state to up' >>>> $!: >>>> $.: >>>> $/: >>>> >>>> Robert >>>> >>>> >>>> On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards >>>> <[email protected]> wrote: >>>>> >>>>> >>>>> I guess the switch emits malformed format. Use the RSYSLOG_DebugFormat >>>>> template for this action and post a sample from it. Note that each >>>>> message >>>>> will be output on multiple lines, with all the properties as rsyslog >>>>> sees >>>>> them. rawmsg is the most interesting one. Be sure to include all >>>>> properties >>>>> (messages are sperated by a blank line with this template). >>>>> >>>>> Rainer >>>>> >>>>> >>>>> On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello All, >>>>>> >>>>>> I wanted to see if anyone had run into this issue, I am currently >>>>>> logging information from some switches, and I have those switches >>>>>> locally listed on my /etc/hosts file with a specific suffix like: >>>>>> >>>>>> 10.0.0.5 switch1.ldblzr >>>>>> >>>>>> and I am filtering with a rule like this: >>>>>> >>>>>> :fromhost, contains, "ldblzr" { >>>>>> action (type="omfile" >>>>>> name="load" >>>>>> File="/var/log/swtichlog" >>>>>> ) >>>>>> stop >>>>>> } >>>>>> >>>>>> The issue that I am running into is that when the logs go to the >>>>>> "switchlog". The way that they are being written is: >>>>>> >>>>>> 2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May 2 >>>>>> 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP >>>>>> req from host 10.0.0.3 >>>>>> >>>>>> I would like them to be written as: >>>>>> >>>>>> 2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME) >>>>>> 98563: May 2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication >>>>>> failure for SNMP req from host 10.0.0.3 >>>>>> >>>>>> I am wondering if this is a template issue or an output module >>>>>> parameter issue, or just misconfiguration on my part? >>>>>> >>>>>> Any input will be appreciated >>>>>> >>>>>> Thanks in advance >>>>>> >>>>>> >>>>>> Robert >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> myriad >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T >>>>> LIKE THAT. >>>> >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
