Oh, right! It does clarify! Thanks! -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/
On Wed, Nov 4, 2015 at 11:58 AM, Rainer Gerhards <[email protected]> wrote: > 2015-11-04 8:49 GMT+01:00 Radu Gheorghe <[email protected]>: >> Hello and thanks for your replies! >> >> @David: yes, I tried that and didn't see any config errors. >> >> @Rainer: I thought this is strictured data: [origin >> software="rsyslogd" swVersion="8.13.0" >> x-pid="1623" x-info="http://www.rsyslog.com";] > > It was ... long time ago. When we wrote RFC5424, I used rsyslog as > testbed. Unfortunately, the structured data format was changed pretty > late in the process, when rsyslog had adopted it for quite some month > (I think even 2 years or so). So I decided not to update rsyslog's > format, because I knew there were scripts who already depend on it. > > See RFC5424 for the final definition. > > Hope that clarifies, > Rainer >> -- >> Performance Monitoring * Log Analytics * Search Analytics >> Solr & Elasticsearch Support * http://sematext.com/ >> >> >> On Tue, Nov 3, 2015 at 8:51 PM, Rainer Gerhards >> <[email protected]> wrote: >>> Mmmhhhh... There is no structured data in that message, hence nothing is >>> populated. The dash is the nilvalue. >>> >>> Rainer >>> >>> Sent from phone, thus brief. >>> Am 03.11.2015 17:47 schrieb "Radu Gheorghe" <[email protected]>: >>> >>>> Hi David, >>>> >>>> Here's how the debug template writes with a "server" config like the >>>> one I pasted in the first Email: >>>> >>>> Debug line with all properties: >>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: >>>> 'rgheorghe-ubuntu', PRI: 46, >>>> syslogtag 'rsyslogd', programname: 'rsyslogd', APP-NAME: 'rsyslogd', >>>> PROCID: '-', MSGID: '-', >>>> TIMESTAMP: 'Nov 3 18:38:09', STRUCTURED-DATA: '-', >>>> msg: ' [origin software="rsyslogd" swVersion="8.13.0" x-pid="1623" >>>> x-info="http://www.rsyslog.com";] start' >>>> escaped msg: ' [origin software="rsyslogd" swVersion="8.13.0" >>>> x-pid="1623" x-info="http://www.rsyslog.com";] start' >>>> inputname: imtcp rawmsg: '<46>1 2015-11-03T18:38:09.287115+02:00 >>>> rgheorghe-ubuntu rsyslogd - - - [origin software="rsyslogd" >>>> swVersion="8.13.0" x-pid="1623" x-info="http://www.rsyslog.com";] >>>> start' >>>> $!: >>>> $.: >>>> $/: >>>> >>>> So it sounds like rsyslog parses the RFC5424 message, but mmpstrucdata >>>> doesn't seem to put anything in that $! variable. >>>> >>>> Thanks and best regards, >>>> Radu >>>> -- >>>> Performance Monitoring * Log Analytics * Search Analytics >>>> Solr & Elasticsearch Support * http://sematext.com/ >>>> >>>> >>>> On Mon, Nov 2, 2015 at 7:45 PM, David Lang <[email protected]> wrote: >>>> > can you show us a same of the rawlog that you are receiving? >>>> > >>>> > among other things, it shows up with the template RSYSLOG_DebugFormat >>>> > >>>> > David Lang >>>> > >>>> > On Mon, 2 Nov 2015, Radu Gheorghe wrote: >>>> > >>>> >> Date: Mon, 2 Nov 2015 14:13:23 +0200 >>>> >> From: Radu Gheorghe <[email protected]> >>>> >> Reply-To: rsyslog-users <[email protected]> >>>> >> To: rsyslog-users <[email protected]> >>>> >> Subject: [rsyslog] mmpstrucdata doesn't seem to work >>>> >> >>>> >> >>>> >> Hello rsysloggers :) >>>> >> >>>> >> I'm having trouble setting up mmpstrucdata (running on 64-bit Ubuntu >>>> >> 14.04 with rsyslog 8.13 installed from the official packages, if it >>>> >> matters). >>>> >> >>>> >> I've followed the docs >>>> >> >>>> >> ( >>>> http://www.rsyslog.com/doc/v8-stable/configuration/modules/mmpstrucdata.html >>>> ) >>>> >> and I didn't get anything out of the $! or the $!rfc5424-sd variables. >>>> >> I've changed the jsonRoot path - still no go. Tried with $!all-json - >>>> >> nothing. And by "nothing", I mean "the contents of these variables are >>>> >> always empty". Except for $!all-json, which naturally shows an empty >>>> >> JSON. >>>> >> >>>> >> I see there is a test there on the testbench so I figured I must be >>>> >> doing something wrong, then I tried to emulate that. Here's my last >>>> >> (failed) attempt: >>>> >> >>>> >> Server config: >>>> >> --------- >>>> >> module(load="imtcp") >>>> >> module(load="mmpstrucdata") >>>> >> >>>> >> input(type="imtcp" port="514") >>>> >> action(type="mmpstrucdata") >>>> >> >>>> >> template(name="jsondump" type="string" string="%$!%\n") >>>> >> >>>> >> action(type="omfile" >>>> >> file="/var/log/test" >>>> >> template="jsondump") >>>> >> --------- >>>> >> >>>> >> Client config: >>>> >> -------- >>>> >> module(load="imuxsock") >>>> >> >>>> >> action(type="omfwd" >>>> >> protocol="tcp" >>>> >> target="127.0.0.1" >>>> >> port="514" >>>> >> template="RSYSLOG_SyslogProtocol23Format") >>>> >> -------- >>>> >> >>>> >> If I had to bet, I'd still go for me missing something (as I would >>>> >> expect the test to fail otherwise). Can someone confirm that >>>> >> mmpstrucdata still works on 8.13 and show an example config? Does >>>> >> anyone use this module at all? (I wouldn't blame anyone if they don't >>>> >> use it, I prefer JSON in the message anyway :p) >>>> >> >>>> >> Thanks and best regards, >>>> >> Radu >>>> >> -- >>>> >> Performance Monitoring * Log Analytics * Search Analytics >>>> >> Solr & Elasticsearch Support * http://sematext.com/ >>>> >> _______________________________________________ >>>> >> rsyslog mailing list >>>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >> http://www.rsyslog.com/professional-services/ >>>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> >> LIKE THAT. >>>> >> >>>> > _______________________________________________ >>>> > rsyslog mailing list >>>> > http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> > http://www.rsyslog.com/professional-services/ >>>> > What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of >>>> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>> > LIKE THAT. >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
