Re: [rsyslog] log output

Fri, 02 May 2014 13:37:51 -0700 

take a look at the options in www.rsyslog.com/doc/property_replacer.html

DateFormat      New format, additional parameter is needed. See below.
mysql   format as mysql date
pgsql   format as pgsql date
rfc3164 format as RFC 3164 date
rfc3164-buggyday similar to date-rfc3164, but emulates a common coding error: RFC 3164 demands that a space is written for single-digit days. With this option, a zero is written instead. This format seems to be used by syslog-ng and the date-rfc3164-buggyday option can be used in migration scenarios where otherwise lots of scripts would need to be adjusted. It is recommended not to use this option when forwarding to remote hosts - they may treat the date as invalid (especially when parsing strictly according to RFC 3164). 
rfc3339 format as RFC 3339 date
unixtimestamp   format as unix timestamp (seconds since epoch)
subseconds just the subseconds of a timestamp (always 0 for a low precision timestamp) 

David Lang

On Fri, 2 May 2014, robert s wrote:


Awesome thanks David!

The only thing is that when I use %TIMESTAMP% it looks like this:

May 2 16:17:24 192.168.5.153 :
May 2 16:17:24 192.168.5.154 :

I was looking for how to make it look like this:

2014-05-02T16:11:58.003716-04:00
2014-05-02T16:11:58.007823-04:00

Is there someplace on the documentation that shows that?

Thanks



Robert


On Fri, May 2, 2014 at 2:49 PM, David Lang <[email protected]> wrote:

that looks about right.


David Lang

On Fri, 2 May 2014, robert s wrote:


Thanks David,

So something like this?:

template(name="FileFormat" type="string"
string= "%TIMESTAMP% %FROMHOST-IP%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)



Robert


On Fri, May 2, 2014 at 1:49 PM, David Lang <[email protected]> wrote:


Ok, this looks like you just need to make a new template that uses
%fromhost-ip% instead of %hostname%

David Lang

On Fri, 2 May 2014, robert s wrote:


Date: Fri, 2 May 2014 12:13:21 -0400
From: robert s <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] log output


Thanks Rainer,

using this filter:

:fromhost, contains, "ldblzr" {
action (type="omfile"
template="RSYSLOG_DebugFormat"name="load"
File="/var/log/swtichlog"
)
stop
}


I get the following output:


Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-',
msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface
Ethernet124/1/16 is up in mode access'
inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT:
%ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access'
$!:
$.:
$/:

Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to down'
escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to down'
inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to down'
$!:
$.:
$/:

Debug line with all properties:
FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME:
'switch1.ldblzr', PRI: 189,
syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236',
PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-',
msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/11, changed state to up'
escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/11, changed state to up'
inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11,
changed state to up'
$!:
$.:
$/:

Robert


On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards
<[email protected]> wrote:



I guess the switch emits malformed format. Use the RSYSLOG_DebugFormat
template for this action and post a sample from it. Note that each
message
will be output on multiple lines, with all the properties as rsyslog
sees
them. rawmsg is the most interesting one. Be sure to include all
properties
(messages are sperated by a blank line with this template).

Rainer


On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]>
wrote:


Hello All,

I wanted to see if anyone had run into this issue, I am currently
logging information from some switches, and I have those switches
locally listed on my /etc/hosts file with a specific suffix like:

 10.0.0.5            switch1.ldblzr

and I am filtering with a rule like this:

:fromhost, contains, "ldblzr" {
           action (type="omfile"
                   name="load"
                   File="/var/log/swtichlog"
                             )
                           stop
                             }

The issue that I am running into is that when the logs go to the
"switchlog". The way that they are being written is:

2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May  2
09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP
req from host 10.0.0.3

I would like them to be written as:

2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME)
98563: May  2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication
failure for SNMP req from host 10.0.0.3

I am wondering if this is a template issue or an output module
parameter issue, or just misconfiguration on my part?

Any input will be appreciated

Thanks in advance


Robert
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
LIKE THAT.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to