I am running in a strange behavior in handling of variables and input from
remote messages.
a) remote messages
The template "plain-syslog" works NOT for remote messages - The variables
values are NULL if messages from remote are processed.
The template "workarround" works - but only for no $! properties
($!country_code becomes NULL every time).
b) local messages
Everything works fine
I am not sure if this is a configuration or a code issue (Tested with
rsyslog 8.2.2).
Any help is appreciated.
Best regards
Joerg
# JSON format template for structured event forwarding to ElasticSearch
#
# ######### Fill variables with dynamic data through a template ##########
#
template(name="timereportedrfc3339" type="string"
string="%timereported:::date-rfc3339%")
set $!timereported = exec_template("timereportedrfc3339");
# ######### JSON format output ##########
#
set $!host = $hostname;
set $!severity = $syslogseverity-text;
set $!facility = $syslogfacility-text;
set $!syslogtag = $syslogtag;
set $!msg = $msg;
#if ( $!country_code == '' ) then
#{
# set $!country_code = "DE";
#}
set $!country_code = "DE";
# ######### CEE-enhanced template to generate JSON documents for
Elasticsearch ##########
#
# Needs mmjsonparse for handling CEE-enhanced syslog messages
#
template(name="cee-syslog"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="$!timereported")
constant(value="\",") property(name="$!all-json"
position.from="2")
}
# ######### Template to generate JSON documents for Elasticsearch ##########
#
template(name="plain-syslog"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="$!timereported")
constant(value="\",\"host\":\"") property(name="$!host")
constant(value="\",\"severity\":\"")
property(name="$!severity")
constant(value="\",\"facility\":\"")
property(name="$!facility")
constant(value="\",\"syslogtag\":\"")
property(name="$!syslogtag")
constant(value="\",\"msg\":\"") property(name="$!msg")
constant(value="\",\"country_code\":\"")
property(name="$!country_code")
constant(value="\"}")
}
template(name="workarround"
type="list"
option.json="on") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"")
property(name="hostname")
constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"syslogtag\":\"")
property(name="syslogtag")
constant(value="\",\"msg\":\"") property(name="msg")
constant(value="\",\"country_code\":\"")
property(name="$!country_code")
constant(value="\"}")
}
module(load="omelasticsearch")
ruleset(name="elasticsearch") {
# ElasticSearch index template - "rsyslog-2012-05-10" to have our
variable ElasticSearch index names
#
$template searchindex,"rsyslog-%timereported:1:10:date-rfc3339%"
action(type="omelasticsearch"
# template="cee-syslog"
# template="plain-syslog"
template="workarround"
searchIndex="searchindex"
dynSearchIndex="on"
asyncrepl="on"
searchType="events"
server="localhost"
serverport="9200"
usehttps="off"
# uid="testID"
# pwd="fjg892345sdfsdwf4"
bulkmode="on"
queue.dequeuebatchsize="5000"
queue.saveonshutdown="on"
queue.type="linkedlist"
queue.timeoutenqueue="0"
queue.spoolDirectory="/var/spool/rsyslog"
queue.filename="dbq"
queue.maxdiskspace="2g"
queue.maxfilesize="16m"
queue.size="100000"
queue.workerthreads="5"
action.resumeretrycount="-1")
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
