On Wed, 12 Nov 2014, proinity GmbH wrote:
I'm sending nginx logs to my rsyslog and struggle with the separator used in
my logs.
A log entry looks something like this (separated by |):
1415815576.616|defr|130.193.215.96|304|284|test.abc.com
The rulebase I'm using is:
rule=:
%msec:word%\x7C%pop:word%\x7C%remote_addr:word%\x7C%status:word%\x7C%byte_send:word%\x7C%vhost:word%
also tried this:
rule=:
%msec:word%|%pop:word%|%remote_addr:word%|%status:word%|%byte_send:word%|%vhost:word%
Output in my log file on the rsyslog server:
msg is ' 1415815576.616|defr|130.193.215.96|304|284|test.abc.com', {
"originalmsg": " 1415815576.616|defr|130.193.215.96|304|284|test.abc.com",
"unparsed-data": "" }
msg is ' 1415815576.616|defr|130.193.215.96|304|284|test.abc.com', {
"originalmsg": " 1415815576.616|defr|130.193.215.96|304|284|test.abc.com",
"unparsed-data": "" }
msg is ' 1415815576.631|defr|130.193.215.96|304|284|test.abc.com', {
"originalmsg": " 1415815576.631|defr|130.193.215.96|304|284|test.abc.com",
"unparsed-data": "" }
For some reason does it not parse the log entries properly. I tested it with
a space which is working but not with the | (pipe).
I think the problem is that word may include the pipe character, try replacing
it with the charto primitive.
David Lang
Is there any special escaping required for the | or is this just not working
at all?
Thanks for you help,
Sven
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
