On Thu, Oct 29, 2015 at 9:52 AM, Dave Caplinger <
[email protected]> wrote:
> There are two approaches:
>
> 1) Modify the syslog line to insert the property by using a template
>
> 2) Use JSON to preserve the original unmodified log line and add the
> property as an extra key/value pair
>
> Either way, I'd suggest you first validate if you have or can get a modern
> (v8) version of Rsyslog; your config snippet suggests you may be using
> version 5 or lower.
>
Yes, so RHEL 7 ships v7 right now, but they did not change the rsyslog.conf
file that ships with RHEL. :(
I have the ability to run v8, so I'd like to do #2. Here is a JSON
template that I use, would I reference the "$!roles" variable as below?
set $!roles = "openstack-0,controller,db"
template(name="mytemplate"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"2015.09.24-0")
constant(value="\",\"message\":\"") property(name="msg"
format="json")
constant(value="\",\"hostname\":\"")
property(name="hostname")
constant(value="\",\"level\":\"")
property(name="syslogseverity-text")
constant(value="\",\"pid\":\"")
property(name="procid")
constant(value="\",\"roles\":\"")
property(name="!roles")
constant(value="\",\"rsyslog\": {")
constant(value="\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"programname\":\"")
property(name="programname")
constant(value="\",\"fromhost\":\"")
property(name="fromhost")
constant(value="\",\"fromhost-ip\":\"")
property(name="fromhost-ip")
constant(value="\",\"timegenerated\":\"")
property(name="timegenerated" dateFormat="rfc3339")
constant(value="\",\"protocol-version\":\"")
property(name="protocol-version")
constant(value="\",\"structured-data\":\"")
property(name="structured-data")
constant(value="\",\"app-name\":\"")
property(name="app-name")
constant(value="\",\"msgid\":\"")
property(name="msgid")
constant(value="\",\"inputname\":\"")
property(name="inputname")
constant(value="\"} }")
}
So since I have a number of systems that are running v5 and v7 of rsyslog,
is there a way in those versions to modify the
RSYSLOG_SyslogProtocol23Format template to add a constant value?
Thanks!
-peter
>
> --
> Dave Caplinger | Director, Technical Product Management
> Solutionary — An NTT Group Security Company
>
> > On Oct 29, 2015, at 6:53 AM, Peter Portante <[email protected]>
> wrote:
> >
> > Hi Folks,
> >
> > First post on this list.
> >
> > I would like to be able to add a property to a log message on the fly
> > before forwarding the log message to a remote syslog server. I would use
> > this property value to indicate one or more groups and/or roles the host
> > machine participates in or fulfills.
> >
> > For example:
> >
> > $ModLoad imjournal
> > $IMJournalStateFile imjournal.state
> > $ActionForwardDefaultTemplate RSYSLOG_SyslogProtocol23Format
> > $PreserveFQDN on
> >
> > set $!roles = "perf-dept-openstack,controller,db"
> >
> > *.* @@
> 10.16.28.160:514
> >
> >
> > So would I just make a custom template that does the same thing as syslog
> > protocol 23 format offers? Or can I add that properly there easily?
> >
> > Thanks,
> >
> > -peter
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
