Sorry for no having included all the relevant information.
What I tried was : if ($programname startswith 'fw1-loggrabber') & (%msg:F,124,6:3,18% == "xx.xx.xx.xx") then action(type="omfile" ioBufferSize="8k" asyncWriting=" on" flushOnTXEnd="off" dynaFile="DYNfw1") Resulting in this error : rsyslogd -N3 -f /etc/rsyslog.conf.pms rsyslogd: version 7.4.10, config validation run (level 3), master config /etc/rsyslog.conf.pms rsyslogd: error during parsing file /etc/rsyslog.conf.pms, on or before line 92: syntax error on token '%' [try http://www.rsyslog.com/e/2207 ] rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf.pms'. [try http://www.rsyslog.com/e/2207 ] rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means) In case the whole config file would be needed : ### Module loading module( load="builtin:omfile" template="RSYSLOG_TraditionalFileFormat" ) #module(load="imtcp") # provides TCP support $ModLoad imtcp $InputTCPMaxSessions 2000 module(load="imudp") # provides UDP support # Provides periodic output of rsyslog internal counters module(load="impstats.so" interval="60") module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) module(load="immark") # provides --MARK-- message capability $FileCreateMode 0640 $DirCreateMode 0755 $ActionSendTCPRebindInterval 5000 $RulesetCreateMainQueue on #Permer de divisier les queue $MaxOpenFiles 10240 #Note that this includes open tcp sockets $WorkDirectory /var/spool/rsyslog #Main Queue directives $MainMsgQueueFileName mainq $MainMsgQueueType LinkedList # run asynchronously $MainMsgQueueSize 2000000 $MainMsgQueueDiscardMark 1800000 $MainMsgQueueLowWaterMark 200000 $MainMsgQueueHighWaterMark 1600000 $MainMsgQueueDequeueBatchSize 1024 $MainMsgQueueMaxDiskSpace 4g # $MainMsgQueueSaveOnShutdown on # save messages to disk on shutdown $MainMsgQueueDiscardSeverity 7 ##Debug mode # input(type="imudp" port="514" ruleset="remote_RS") # Listen on 514 for UDP and send to the appropriate ruleset input(type="imtcp" port="5140" ruleset="remote_RS") # Listen on 5140 for TCP and send to the appropriate ruleset $template DYNfile,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/%syslogfacility-text%-%$HOUR%" # Remove the domain part from hostname $template DYNaudit,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/audit-%$HOUR%" # Remove the domain part from hostname $template DYNimpstat,"/dailylog/HOSTS/%HOSTNAME:R,ERE,1,FIELD:^([a-zA-Z0-9-]+)(\.[a-zA-Z0-9-]+)*$--end%/%$YEAR%-%$MONTH%-%$DAY%/impstat" # Remove the domain part from hostname $template DYNfw,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw1-loggrabber-%$HOUR%" # Remove the domain part from hostname $template DYNfw1,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw1-%$HOUR%" $template DYNfw2,"/dailylog/HOSTS/fwi-pmpp-vdm00/%$YEAR%-%$MONTH%-%$DAY%/fw2-%$HOUR%" $template forcedhost,"%timegenerated% %msg:F,124,6:3,18% %syslogtag%%msg:::drop-last-lf%\n" $template forcedhost1,"%timegenerated% fw1 %syslogtag%%msg:::drop-last-lf%\n" $template forcedhost2,"%timegenerated% fw2 %syslogtag%%msg:::drop-last-lf%\n" ## Remote logs to LOCAL # Remote logs to ruleset(name="remote_RS" queue.type="LinkedList" queue.filename="mainqrs" queue.size="500000" queue.maxdiskspace="5g" queue.highwatermark="450000" queue.lowwatermark="5000" queue.discardseverity="7" queue.saveonshutdown="on" ) { #shouldn't be *.* but host except Seclin if $programname startswith 'fw1-loggrabber' then action(type="omfwd" target="xx.xx.xx.xx" port="5540" protocol="tcp" template="forcedhost" queue.type="LinkedList" queue.filename="splunkfw" queue.size="500000" queue.maxdiskspace="1g" queue.highwatermark="450000" queue.lowwatermark="5000" queue.discardseverity="7" queue.saveonshutdown="on" ) & action(type="omfile" ioBufferSize="8k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfw") & stop *.* action(type="omfwd" target="xx.xx.xx.xx" port="5540" protocol="tcp" queue.type="LinkedList" queue.filename="splunk" queue.size="500000" queue.maxdiskspace="3g" queue.highwatermark="450000" queue.lowwatermark="5000" queue.discardseverity="7" queue.saveonshutdown="on" ) if $programname startswith 'audispd' then action(type="omfile" dynaFileCacheSize="2000" ioBufferSize="64k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNaudit") & stop if ($programname startswith 'fw1-loggrabber') & (%msg:F,124,6:3,18% == "xx.xx.xx.xx") then action(type="omfile" ioBufferSize="8k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfw1") & stop if $programname startswith 'fw1-loggrabber' then action(type="omfile" ioBufferSize="8k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfw") & stop if $programname startswith 'rsyslogd-pstats' then action(type="omfile" dynaFileCacheSize="2000" ioBufferSize="4k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNimpstat") & stop *.* action(type="omfile" dynaFileCacheSize="10000" ioBufferSize="32k" asyncWriting="on" flushOnTXEnd="off" dynaFile="DYNfile") } ### # # Log anything (except mail and cron) of level info or higher to centralog # including auditd message which log on daemon.info facility # #if $programname startswith 'fw1-loggrabber' then action(type="omfile" file="/var/log/pms1" name="fw1" template="forcedhost" ) #& stop if $programname startswith 'rsyslogd-pstats' then action(type="omfile" file="/var/log/syslog-stats.log" name="impstat") *.* action(type="omfwd" target="localhost" port="5140" protocol="tcp" name="localfwd" queue.type="LinkedList" queue.filename="forwarding" queue.size="100000" queue.maxdiskspace="5g" queue.highwatermark="80000" queue.lowwatermark="2000" queue.discardseverity="7" queue.saveonshutdown="on" ) ### # # Auditd is configure to send his messages to syslog through audispd syslog plugin. # By default, the messages are sent into /var/log/audit/audit.log # and on the daemon facility (hardcoded in source file) # # So in order to avoid duplicate messages into /var/log/messages; # we use rsyslog property-based filter, # see http://www.rsyslog.com/doc-rsyslog_conf_filter.html # # Send the auditd messages to centralog # then discard them with '~' to avoid duplicate messages in /var/log/messages # :programname, contains, "audispd" stop ### # # Log anything (except mail,cron and auth) of level info or higher. # *.info;mail.none;authpriv.none;auth.none;cron.none /var/log/messages # The authpriv file has restricted access. auth.*;authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log -----Message d'origine----- De : [email protected] [mailto:[email protected]] De la part de David Lang Envoyé : vendredi 27 novembre 2015 12:09 À : rsyslog-users Objet : Re: [rsyslog] Help with property replacer On Fri, 27 Nov 2015, Maupertuis Philippe wrote: > Hi, > I am facing a situation where logs are pulled from a remote server through a > specific program. > The syslog message comes from the host where the program runs while the ip of > the real server is inside the message. > I have been able to reformat the message like that : > > $template forcedhost,"%timegenerated% %msg:F,124,6:3,18% > %syslogtag%%msg:::drop-last-lf%\n" > > With this I get the IP address of the real host but I would like to go one > step further and set the name of the host instead of its ip address. > > I have only two hosts for which I retrieve data so I can just test the IP > address to set the host. > > I tried to use the property replacer in a test but I got syntax error. > > Is there any way to do that with rsyslog7.4 with which I am stuck for > legal reasons yes, you can do it with 7.4, but we can't tell you what the error is without seeing the config you are using. the error message you get would be helpful as well. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
