On Thu, 29 Oct 2015, Peter Portante wrote:
On Thu, Oct 29, 2015 at 9:52 AM, Dave Caplinger <
[email protected]> wrote:
There are two approaches:
1) Modify the syslog line to insert the property by using a template
2) Use JSON to preserve the original unmodified log line and add the
property as an extra key/value pair
Either way, I'd suggest you first validate if you have or can get a modern
(v8) version of Rsyslog; your config snippet suggests you may be using
version 5 or lower.
Yes, so RHEL 7 ships v7 right now, but they did not change the rsyslog.conf
file that ships with RHEL. :(
I have the ability to run v8, so I'd like to do #2. Here is a JSON
template that I use, would I reference the "$!roles" variable as below?
set $!roles = "openstack-0,controller,db"
template(name="mytemplate"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"2015.09.24-0")
constant(value="\",\"message\":\"") property(name="msg"
format="json")
constant(value="\",\"hostname\":\"")
property(name="hostname")
constant(value="\",\"level\":\"")
property(name="syslogseverity-text")
constant(value="\",\"pid\":\"")
property(name="procid")
constant(value="\",\"roles\":\"")
property(name="!roles")
constant(value="\",\"rsyslog\": {")
constant(value="\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"programname\":\"")
property(name="programname")
constant(value="\",\"fromhost\":\"")
property(name="fromhost")
constant(value="\",\"fromhost-ip\":\"")
property(name="fromhost-ip")
constant(value="\",\"timegenerated\":\"")
property(name="timegenerated" dateFormat="rfc3339")
constant(value="\",\"protocol-version\":\"")
property(name="protocol-version")
constant(value="\",\"structured-data\":\"")
property(name="structured-data")
constant(value="\",\"app-name\":\"")
property(name="app-name")
constant(value="\",\"msgid\":\"")
property(name="msgid")
constant(value="\",\"inputname\":\"")
property(name="inputname")
constant(value="\"} }")
}
So since I have a number of systems that are running v5 and v7 of rsyslog,
is there a way in those versions to modify the
RSYSLOG_SyslogProtocol23Format template to add a constant value?
you are working too hard on this.
create a template similar to:
$template structuredmsg,"<%pri%>%timereported% %hostname% %syslogtag%
@cee:%$!%\n"
then log things with the format RSYSLOG_DebugFormat and make sure that
everything you want to send to the far side shows up in either hostname,
programname, facility/severity, or as a $! variable.
if you use mmjsonparse, it will parse the message if it's json, and it will make
$!msg = $msg if it's not json.
you then send via the structuredmsg I show above, and on the receiving system,
use mmjsonparse and it will recreate the $! variables that you sent (validate
via RSYSLOG_DebugFormat
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
