On Mon, 3 Aug 2015, David Spautz wrote:
Hi,
i fixed some syntax errors and used your helpfull format to find out
which properties are available for filtering
(:property, [!]compare-operation, "value").
My new config looks like (see comments):
$SystemLogSocketAnnotate on # add _UID and other usefull properties
$SystemLogParseTrusted on # Add trusted properties but I CAN'T FILTER by
those (see below)
$ActionFileDefaultTemplate RSYSLOG_DebugFormat
#:FROMHOST, isequal, "cassiopeia" -/var/log/nobody.log # works
#:$!['uid'], isequal, "2179" -/var/log/nobody.log #
not working (parsing error/ syntax error)
#:$!uid, isequal, "2179" -var/log/nobody.log
#not working (wrote every uid messages into that file)
this should work.
try formatting it as
if $!uid == '2179' then /var/log/nobody.log
David Lang
# not working (wrote all different UID messages into that file)
#:$!uid, isequal, "2179" ~
#*.* /var/log/nobody.log
#:omusrmsg:_UID, isequal, "2179" -/var/log/nobody.log # not
working (msg: 'user name '"2179" -...' too long - ignored')
The result looks like:
Debug line with all properties:
FROMHOST: 'bar', fromhost-ip: '127.0.0.1', HOSTNAME: 'bar', PRI: 13,
syslogtag 'dsp:', programname: 'foo', APP-NAME: 'dsp', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Aug 3 14:18:24', STRUCTURED-DATA: '-',
msg: ' test'
escaped msg: ' test'
inputname: imuxsock rawmsg: '<13>Aug 3 14:18:24 foo: test'
$!:{ "pid": 8769, "uid": 2179, "gid": 2000, "appname": "logger", "cmd": "" }
$.:
$/:
How can I setup filter for $!- properties?
Thanks
On 31/07/15 09:00, David Lang wrote:
On Fri, 31 Jul 2015, David Spautz wrote:
Hi all,
I use debian 8 (Jessie) and RSyslog 8.4.2
rsyslogd 8.4.2, compiled with:
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
I tried to setup rsyslog to use trusted properties like UID to filter
messages and write it to UID-seperated files
$ModLoad imuxsock
$InputUnixListenSocketAnnotate on
$SystemLogSocketAnnotate on
$SystemLogUsePIDFromSystem on
$SystemLogParseTrusted on
:_UID, isequal, "0" -/tmp/test.log
_UID is not a valid variable, all variables start with $
write a log message with the format RSYSLOG_DebugFormat and it will
show you all the variables you have avaialble to play with
a hint, the trusted properties will show up under $! after you run
mmjsonparse. I haven't looked to see if they show up as anything other
than the text inside the message before you do that.
run rsyslogd -N2 before you try again and resolve any syntax errors.
When there are syntax errors in the config file, rsyslog is NOT going
to do what you want it to.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
