Interesting. Does this mean that variables declared outside of ruleset
cannot be referenced from within ruleset as shown below? If so, then it
would seem somewhat counterintuitive. If not, then it's inconsistent with
the scoping rules you described.
set host='127.0.0.1'
ruleset(name = "mylogs") {
action(type = "omelasticsearch"
...
server = host
...
)
}
On Sat, Nov 21, 2015 at 5:39 PM, David Lang <[email protected]> wrote:
> Rulesets aren't scoping as you are thinking about them, they are more
> function calls. If you set a rulset on an input, then nothing outside of
> that ruleset is going to be applied to any logs from that input.
>
> anything not in an explicit ruleset is in the implicit 'main' ruleset.
>
> things in rulesets only get executed if the 'program flow' (for lack of a
> better phrase) includes that rulset.
>
> David Lang
>
>
> On Sat, 21 Nov 2015, Alec Swan wrote:
>
>
>> I tied setting $!@timestamp at the very bottom of the file but mmnormalize
>> calls from inside rulesets did not pick those up. I ran multiple tests and
>> confirmed that $!@timestamp has to be set within the ruleset where
>> mmnormalize is called in order for the JSON produced by mmnormalize to
>> have
>> @timestamp element. It's not a big deal, but I wish regular variable
>> scoping rules applied to rulesets as well.
>>
>> Thanks!
>>
>> On Fri, Nov 20, 2015 at 3:22 PM, David Lang <[email protected]> wrote:
>>
>> by default, mmnormalize only parsed $msg, it has an option to let you
>>> parse anything else. I posted a lengthy message yesterday talking about
>>> how
>>> I create a string $.stdmsg that includes different variables and then
>>> have
>>> mmnormalize parse it instead of $msg.
>>>
>>> the json generated by mmnormalize should be added to anything already in
>>> $! (if not, this needs to be an option), but if it's not showing up, try
>>> setting $!@timestamp after the mmnormalize statement.
>>>
>>> David Lang
>>>
>>>
>>>
>>> On Fri, 20 Nov 2015, Alec Swan wrote:
>>>
>>> I run mmnormalize twice because I need to use different rulebases for
>>>
>>>> different rulesets associated with imfile input.
>>>>
>>>> If I move "set $!@timestamp = exec_template("timereportedrfc3339");
>>>> set $!host
>>>> = $hostname;" outside of rulesets (expecting them to share those
>>>> variable)
>>>> mmnormalize just doesn't include them in JSON generated. So, I end up
>>>> having tags from mmnormalize rulebase parsing but not the $! variables
>>>> in
>>>> JSON.
>>>>
>>>> On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote:
>>>>
>>>> On Fri, 20 Nov 2015, Alec Swan wrote:
>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>>> I have multiple rulesets where I call mmnormalize. I noticed that I
>>>>>> have
>>>>>> to
>>>>>> duplicate $! variables in each ruleset for mmnormalize to include them
>>>>>> in
>>>>>> the $!all-json variable. Is there a way to avoid this duplication
>>>>>> below?
>>>>>>
>>>>>> template(name = "es-payload" type="list"){
>>>>>> property(name = "$!all-json")
>>>>>> }
>>>>>>
>>>>>> ruleset(name = "cassandra-log") {
>>>>>>
>>>>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set
>>>>>> $!host = $hostname;*
>>>>>>
>>>>>> action(type = "mmnormalize" rulebase =
>>>>>> "/etc/rsyslog.d/rules/cassandra.log.rb")}
>>>>>>
>>>>>> ruleset(name = "cassandra-system") {
>>>>>>
>>>>>> * set $!@timestamp = exec_template("timereportedrfc3339"); set
>>>>>> $!host = $hostname;*
>>>>>>
>>>>>> action(type = "mmnormalize" rulebase =
>>>>>> "/etc/rsyslog.d/rules/cassandra-system.log.rb")}
>>>>>>
>>>>>>
>>>>>> my experience has been that if you have a name duplicated, it gets
>>>>> overwritten.
>>>>>
>>>>> can you give an example fo the log output?
>>>>>
>>>>> also, why are you running mmnormalize twice instead of just combining
>>>>> the
>>>>> rulebases?
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>>>
>>>>> _______________________________________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>> _______________________________________________
>>>>
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
