Hello Rainer,
day-to-day we are moving to high-performance flexible log-parsing/delivery
solution, thanks to Rsyslog :)
I have some feature ideas:
*I. Multi-line normalization*
Proc filesystem have well-known multi-line syntax:
for ex.,
cat /proc/meminfo
MemTotal: 4010180 kB
MemFree: 1396880 kB
Buffers: 87444 kB
Cached: 1377868 kB
SwapCached: 5736 kB
...
Easy to see the key/value tokens standing per-line. Could Rsyslog &
normalization be able to work this way:
1) open /proc/meminfo (how many bytes to read may be im(file?) parameter)
2) mmnormalize will parse multi-line string & makes JSON according to rulebase
variables
*II. Adding a mmnormalize char-count field type*
Let's parse DRBD status string:
0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r-----
There are special flags in the end of DRBD status line: "r-----", each flag use
only one character.
Is it possible to add a new field type with ability to match not by delimiter
but by chars count:
Field type: 'char-count'
Matches: One or more characters, up to the lenth given in extra
data.
Extra data: Number
Example: %field_name:char-count:1%
*III. External field mapping*
Let we have a JSON:
{
"acl_history": " PTR != HELO=+30; SPAMD=-2.5;",
"acl_reason": "Accepted with score 30",
"message_id": "1XEZGA-0006zm-Lb",
}
After mmjsonparse in some syslog gate we can use JSON data as $!VARs.
Would be cool if this gate would be able to map one keys to another:
acl_history => CmdbEximAclHistory
acl_reason => CmdbEximAclReason
message_id => CmdbEximMessageId
{
"CmdbEximAclHistory": " PTR != HELO=+30; SPAMD=-2.5;",
"CmdbEximAclReason": "Accepted with score 30",
"CmdbEximMessageId": "1XEZGA-0006zm-Lb"
}
Mapping can be stored in external file.
This feature leads to simplify code mapping in loganalyse side.
*IV. Dynamic variables in actions/rulesets*
The mail idea is to use variables from parsed JSON, like
## DEFAULT ES INDEX ##
template(name="es_index-srvdate" type="list") {
property(name="$!msg_class" )
constant(value="-")
property(name="$!msg_view" )
constant(value="-")
property(name="$year")
constant(value=".")
property(name="$month")
constant(value=".")
property(name="$day")
}
Right now is impossible to use dynamic variables as action target/port/etc:
Work:
ruleset(name="relp_cee" queue.filename="relp_cee" ) {
action(type="omrelp" Template="cee" Target="core" Port="20514")
}
Does not work :
ruleset(name="relp_cee" queue.filename="$!_msg_template" ) {
action(type="omrelp" Template="$!_msg_template" Target="$!_msg_next_ip"
Port="$!_msg_next_port")
}
What do you think about this features?
/---/
*/Best regards,/*
/Eugene Istomin/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
