2015-11-04 8:49 GMT+01:00 Radu Gheorghe <[email protected]>: > Hello and thanks for your replies! > > @David: yes, I tried that and didn't see any config errors. > > @Rainer: I thought this is strictured data: [origin > software="rsyslogd" swVersion="8.13.0" > x-pid="1623" x-info="http://www.rsyslog.com";]
It was ... long time ago. When we wrote RFC5424, I used rsyslog as testbed. Unfortunately, the structured data format was changed pretty late in the process, when rsyslog had adopted it for quite some month (I think even 2 years or so). So I decided not to update rsyslog's format, because I knew there were scripts who already depend on it. See RFC5424 for the final definition. Hope that clarifies, Rainer > -- > Performance Monitoring * Log Analytics * Search Analytics > Solr & Elasticsearch Support * http://sematext.com/ > > > On Tue, Nov 3, 2015 at 8:51 PM, Rainer Gerhards > <[email protected]> wrote: >> Mmmhhhh... There is no structured data in that message, hence nothing is >> populated. The dash is the nilvalue. >> >> Rainer >> >> Sent from phone, thus brief. >> Am 03.11.2015 17:47 schrieb "Radu Gheorghe" <[email protected]>: >> >>> Hi David, >>> >>> Here's how the debug template writes with a "server" config like the >>> one I pasted in the first Email: >>> >>> Debug line with all properties: >>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: >>> 'rgheorghe-ubuntu', PRI: 46, >>> syslogtag 'rsyslogd', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >>> PROCID: '-', MSGID: '-', >>> TIMESTAMP: 'Nov 3 18:38:09', STRUCTURED-DATA: '-', >>> msg: ' [origin software="rsyslogd" swVersion="8.13.0" x-pid="1623" >>> x-info="http://www.rsyslog.com";] start' >>> escaped msg: ' [origin software="rsyslogd" swVersion="8.13.0" >>> x-pid="1623" x-info="http://www.rsyslog.com";] start' >>> inputname: imtcp rawmsg: '<46>1 2015-11-03T18:38:09.287115+02:00 >>> rgheorghe-ubuntu rsyslogd - - - [origin software="rsyslogd" >>> swVersion="8.13.0" x-pid="1623" x-info="http://www.rsyslog.com";] >>> start' >>> $!: >>> $.: >>> $/: >>> >>> So it sounds like rsyslog parses the RFC5424 message, but mmpstrucdata >>> doesn't seem to put anything in that $! variable. >>> >>> Thanks and best regards, >>> Radu >>> -- >>> Performance Monitoring * Log Analytics * Search Analytics >>> Solr & Elasticsearch Support * http://sematext.com/ >>> >>> >>> On Mon, Nov 2, 2015 at 7:45 PM, David Lang <[email protected]> wrote: >>> > can you show us a same of the rawlog that you are receiving? >>> > >>> > among other things, it shows up with the template RSYSLOG_DebugFormat >>> > >>> > David Lang >>> > >>> > On Mon, 2 Nov 2015, Radu Gheorghe wrote: >>> > >>> >> Date: Mon, 2 Nov 2015 14:13:23 +0200 >>> >> From: Radu Gheorghe <[email protected]> >>> >> Reply-To: rsyslog-users <[email protected]> >>> >> To: rsyslog-users <[email protected]> >>> >> Subject: [rsyslog] mmpstrucdata doesn't seem to work >>> >> >>> >> >>> >> Hello rsysloggers :) >>> >> >>> >> I'm having trouble setting up mmpstrucdata (running on 64-bit Ubuntu >>> >> 14.04 with rsyslog 8.13 installed from the official packages, if it >>> >> matters). >>> >> >>> >> I've followed the docs >>> >> >>> >> ( >>> http://www.rsyslog.com/doc/v8-stable/configuration/modules/mmpstrucdata.html >>> ) >>> >> and I didn't get anything out of the $! or the $!rfc5424-sd variables. >>> >> I've changed the jsonRoot path - still no go. Tried with $!all-json - >>> >> nothing. And by "nothing", I mean "the contents of these variables are >>> >> always empty". Except for $!all-json, which naturally shows an empty >>> >> JSON. >>> >> >>> >> I see there is a test there on the testbench so I figured I must be >>> >> doing something wrong, then I tried to emulate that. Here's my last >>> >> (failed) attempt: >>> >> >>> >> Server config: >>> >> --------- >>> >> module(load="imtcp") >>> >> module(load="mmpstrucdata") >>> >> >>> >> input(type="imtcp" port="514") >>> >> action(type="mmpstrucdata") >>> >> >>> >> template(name="jsondump" type="string" string="%$!%\n") >>> >> >>> >> action(type="omfile" >>> >> file="/var/log/test" >>> >> template="jsondump") >>> >> --------- >>> >> >>> >> Client config: >>> >> -------- >>> >> module(load="imuxsock") >>> >> >>> >> action(type="omfwd" >>> >> protocol="tcp" >>> >> target="127.0.0.1" >>> >> port="514" >>> >> template="RSYSLOG_SyslogProtocol23Format") >>> >> -------- >>> >> >>> >> If I had to bet, I'd still go for me missing something (as I would >>> >> expect the test to fail otherwise). Can someone confirm that >>> >> mmpstrucdata still works on 8.13 and show an example config? Does >>> >> anyone use this module at all? (I wouldn't blame anyone if they don't >>> >> use it, I prefer JSON in the message anyway :p) >>> >> >>> >> Thanks and best regards, >>> >> Radu >>> >> -- >>> >> Performance Monitoring * Log Analytics * Search Analytics >>> >> Solr & Elasticsearch Support * http://sematext.com/ >>> >> _______________________________________________ >>> >> rsyslog mailing list >>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> >> http://www.rsyslog.com/professional-services/ >>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T >>> >> LIKE THAT. >>> >> >>> > _______________________________________________ >>> > rsyslog mailing list >>> > http://lists.adiscon.net/mailman/listinfo/rsyslog >>> > http://www.rsyslog.com/professional-services/ >>> > What's up with rsyslog? Follow https://twitter.com/rgerhards >>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> > LIKE THAT. >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
