no, you are overthinking things.
rsyslog doesn't have any scope/nesting rules, it's much simpler than that.
If the action that sets the variable is executed, then it's defined from that
point on in the log processing flow.
if you set something in the 'main' ruleset, but then you declare that input from
source X uses the 'X' ruleset, not the main ruleset, the definitions in the main
ruleset are never executed for any log messages that arrive via source X
if you set someting in ruleset 'Y' and never call it from the main ruleset, logs
processed by the main ruleset will never see that definition. If you do call
ruleset Y from the main ruleset, the defintions will be in effect from point
poitn of the call on..
David Lang
On Sun, 22 Nov 2015, Alec Swan wrote:
Date: Sun, 22 Nov 2015 15:22:54 -0700
From: Alec Swan <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Avoid duplication of $! variables in rulesets
Interesting. Does this mean that variables declared outside of ruleset
cannot be referenced from within ruleset as shown below? If so, then it
would seem somewhat counterintuitive. If not, then it's inconsistent with
the scoping rules you described.
set host='127.0.0.1'
ruleset(name = "mylogs") {
action(type = "omelasticsearch"
...
server = host
...
)
}
On Sat, Nov 21, 2015 at 5:39 PM, David Lang <[email protected]> wrote:
Rulesets aren't scoping as you are thinking about them, they are more
function calls. If you set a rulset on an input, then nothing outside of
that ruleset is going to be applied to any logs from that input.
anything not in an explicit ruleset is in the implicit 'main' ruleset.
things in rulesets only get executed if the 'program flow' (for lack of a
better phrase) includes that rulset.
David Lang
On Sat, 21 Nov 2015, Alec Swan wrote:
I tied setting $!@timestamp at the very bottom of the file but mmnormalize
calls from inside rulesets did not pick those up. I ran multiple tests and
confirmed that $!@timestamp has to be set within the ruleset where
mmnormalize is called in order for the JSON produced by mmnormalize to
have
@timestamp element. It's not a big deal, but I wish regular variable
scoping rules applied to rulesets as well.
Thanks!
On Fri, Nov 20, 2015 at 3:22 PM, David Lang <[email protected]> wrote:
by default, mmnormalize only parsed $msg, it has an option to let you
parse anything else. I posted a lengthy message yesterday talking about
how
I create a string $.stdmsg that includes different variables and then
have
mmnormalize parse it instead of $msg.
the json generated by mmnormalize should be added to anything already in
$! (if not, this needs to be an option), but if it's not showing up, try
setting $!@timestamp after the mmnormalize statement.
David Lang
On Fri, 20 Nov 2015, Alec Swan wrote:
I run mmnormalize twice because I need to use different rulebases for
different rulesets associated with imfile input.
If I move "set $!@timestamp = exec_template("timereportedrfc3339");
set $!host
= $hostname;" outside of rulesets (expecting them to share those
variable)
mmnormalize just doesn't include them in JSON generated. So, I end up
having tags from mmnormalize rulebase parsing but not the $! variables
in
JSON.
On Fri, Nov 20, 2015 at 11:00 AM, David Lang <[email protected]> wrote:
On Fri, 20 Nov 2015, Alec Swan wrote:
Hello,
I have multiple rulesets where I call mmnormalize. I noticed that I
have
to
duplicate $! variables in each ruleset for mmnormalize to include them
in
the $!all-json variable. Is there a way to avoid this duplication
below?
template(name = "es-payload" type="list"){
property(name = "$!all-json")
}
ruleset(name = "cassandra-log") {
* set $!@timestamp = exec_template("timereportedrfc3339"); set
$!host = $hostname;*
action(type = "mmnormalize" rulebase =
"/etc/rsyslog.d/rules/cassandra.log.rb")}
ruleset(name = "cassandra-system") {
* set $!@timestamp = exec_template("timereportedrfc3339"); set
$!host = $hostname;*
action(type = "mmnormalize" rulebase =
"/etc/rsyslog.d/rules/cassandra-system.log.rb")}
my experience has been that if you have a name duplicated, it gets
overwritten.
can you give an example fo the log output?
also, why are you running mmnormalize twice instead of just combining
the
rulebases?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
