Rulesets aren't scoping as you are thinking about them, they are more function
calls. If you set a rulset on an input, then nothing outside of that ruleset is
going to be applied to any logs from that input.
anything not in an explicit ruleset is in the implicit 'main' ruleset.
things in rulesets only get executed if the 'program flow' (for lack of a better
phrase) includes that rulset.
David Lang
On Sat, 21 Nov 2015, Alec Swan wrote:
I tied setting $!@timestamp at the very bottom of the file but mmnormalize
calls from inside rulesets did not pick those up. I ran multiple tests and
confirmed that $!@timestamp has to be set within the ruleset where
mmnormalize is called in order for the JSON produced by mmnormalize to have
@timestamp element. It's not a big deal, but I wish regular variable
scoping rules applied to rulesets as well.
Thanks!
On Fri, Nov 20, 2015 at 3:22 PM, David Lang <[email protected]> wrote:
by default, mmnormalize only parsed $msg, it has an option to let you
parse anything else. I posted a lengthy message yesterday talking about how
I create a string $.stdmsg that includes different variables and then have
mmnormalize parse it instead of $msg.
the json generated by mmnormalize should be added to anything already in
$! (if not, this needs to be an option), but if it's not showing up, try
setting $!@timestamp after the mmnormalize statement.
David Lang
On Fri, 20 Nov 2015, Alec Swan wrote:
I run mmnormalize twice because I need to use different rulebases for
different rulesets associated with imfile input.
If I move "set $!@timestamp = exec_template("timereportedrfc3339");
set $!host
= $hostname;" outside of rulesets (expecting them to share those variable)
mmnormalize just doesn't include them in JSON generated. So, I end up
having tags from mmnormalize rulebase parsing but not the $! variables in
JSON.
On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote:
On Fri, 20 Nov 2015, Alec Swan wrote:
Hello,
I have multiple rulesets where I call mmnormalize. I noticed that I have
to
duplicate $! variables in each ruleset for mmnormalize to include them
in
the $!all-json variable. Is there a way to avoid this duplication below?
template(name = "es-payload" type="list"){
property(name = "$!all-json")
}
ruleset(name = "cassandra-log") {
* set $!@timestamp = exec_template("timereportedrfc3339"); set
$!host = $hostname;*
action(type = "mmnormalize" rulebase =
"/etc/rsyslog.d/rules/cassandra.log.rb")}
ruleset(name = "cassandra-system") {
* set $!@timestamp = exec_template("timereportedrfc3339"); set
$!host = $hostname;*
action(type = "mmnormalize" rulebase =
"/etc/rsyslog.d/rules/cassandra-system.log.rb")}
my experience has been that if you have a name duplicated, it gets
overwritten.
can you give an example fo the log output?
also, why are you running mmnormalize twice instead of just combining the
rulebases?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
