On Thu, 10 Dec 2015, Alec Swan wrote:
I've read a several articles about the benefits of parser chains for
rulesets but couldn't find any examples for the new style of configuration.
Here is my scenario. I need to parse logs from my-app.log file written by
an app. Recently, the format of this file changed slightly, e.g. extra tabs
removed between parts of each log message. I am using mmnormalize to parse
the old format using old.rb liblognorm rule. I would like to be able to use
new.rb rule to parse the log file in case old.rb rule fails.
What do I need to do in the following to accomplish this?
input(type = "imfile" File = "my-app.logs" Ruleset = "my-app")
ruleset(name = "my-app") {
action(type = "mmnormalize" rulebase = "/etc/rsyslog.d/rules/old.rb")
# here I would like to use new.rb in case the action above failed to
parse log file
action(type = "omfile" template="es-payload"
file="/tmp/my-app-parsed.log")
}
what I've resorted to doing is:
action(type="mmnormalize" ruleBase="/etc/rsyslog.rb")
if $!originalmsg != "" then {
<parse failed stuff>
}
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
