Re: [rsyslog] Avoid duplication of $! variables in rulesets

Fri, 20 Nov 2015 11:13:06 -0800 

I run mmnormalize twice because I need to use different rulebases for
different rulesets associated with imfile input.

If I move "set $!@timestamp = exec_template("timereportedrfc3339");
set $!host
= $hostname;" outside of rulesets (expecting them to share those variable)
mmnormalize just doesn't include them in JSON generated. So, I end up
having tags from mmnormalize rulebase parsing but not the $! variables in
JSON.

On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote:

> On Fri, 20 Nov 2015, Alec Swan wrote:
>
> Hello,
>>
>> I have multiple rulesets where I call mmnormalize. I noticed that I have
>> to
>> duplicate $! variables in each ruleset for mmnormalize to include them in
>> the $!all-json variable. Is there a way to avoid this duplication below?
>>
>> template(name = "es-payload" type="list"){
>>    property(name = "$!all-json")
>> }
>>
>> ruleset(name = "cassandra-log") {
>>
>> *    set $!@timestamp = exec_template("timereportedrfc3339");    set
>> $!host = $hostname;*
>>
>>    action(type = "mmnormalize" rulebase =
>> "/etc/rsyslog.d/rules/cassandra.log.rb")}
>>
>> ruleset(name = "cassandra-system") {
>>
>> *    set $!@timestamp = exec_template("timereportedrfc3339");    set
>> $!host = $hostname;*
>>
>>    action(type = "mmnormalize" rulebase =
>> "/etc/rsyslog.d/rules/cassandra-system.log.rb")}
>>
>
> my experience has been that if you have a name duplicated, it gets
> overwritten.
>
> can you give an example fo the log output?
>
> also, why are you running mmnormalize twice instead of just combining the
> rulebases?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to