Hi David Sir, I am sorry for inconvenience. Actually we have a Demo version of event correlation system. Events of various devices are being generated in respective log file. Some logs dont have timestamp and some have old timestamp. I want to send these logs to my remote rsyslog server. I want to align all these logs in one format. Secondly, last part of folder name having all these log files changed periodically. Can i use wildcard on folder.
How can i solve bunch of these issues. Thanks On Wed, Feb 17, 2016 at 10:02 AM, David Lang <[email protected]> wrote: > If you have stuff sending badly formatted stuff to you, it's a real pain > to fix. you need to try and find some patterns in either the data or the > sources. > > you are starting off deciding that you are needing to create a custom > template for the logs, but you haven't explained why you are doing this. > > remember, everyone here is a volunteer, we are willing to help, but you > need to be willing to learn, not just dump your problem on us and expect an > answer back. > > so you have a bunch of debug output. But since we can't read your mind, we > don't know what you consider good and what you consider bad. Why don't we > step back a minute and first go over your architecture, what are you trying > to do? > > David Lang > > On Wed, 17 Feb 2016, Muhammad Asif wrote: > > Date: Wed, 17 Feb 2016 09:38:18 +0500 >> From: Muhammad Asif <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] Messy log file after >> %timegenerated:1:26:date-rfc3339% >> >> >> Here is the debug output sir. >> >> http://pastebin.com/88y4cdAu >> >> What do you mean by adjust template. You mean add required fields in >> template. But in this way I have to create 100 templates for 100 different >> log sources. How can I use easy way. I just dont want to add message >> timestamp if exist because some messages have timestamp and some not. >> Thanks >> >> >> >> On Tue, Feb 16, 2016 at 3:35 PM, Rainer Gerhards < >> [email protected]> >> wrote: >> >> 2016-02-16 8:07 GMT+01:00 Muhammad Asif <[email protected]>: >>> >>> Hi Geeks, >>>> >>>> >>>> I need to ask two things. >>>> >>>> 1- When i use following timestamp format, log file turn messy. I mean >>>> all >>>> logs continously with some space. (Not one log in one line) >>>> >>>> $template CustomFormat,"<%pri%>%timegenerated:1:27:date-rfc3339% >>>> %syslogtag%%msg%" >>>> >>>> $ActionFileDefaultTemplate CustomForma >>>> >>>> >>>> http://pastebin.com/eh7tTctL >>>> >>>> >>>> >>>> you need to add \n at the end of the template, this is the LF you are >>> missing. >>> >>> >>> 2- Second, as shown in attached logs, I want to remove timestamps being >>>> attached from devices and attached new by rsyslog and then forward to >>>> remote server. How can i do this. >>>> >>>> >>>> you need to look at what is in which field (use RSYSLOG_DebugFormat) and >>> then adjust your template accordingly. >>> >>> Rainer >>> >>> >>>> >>>> Regards >>>> >>>> M. Asif >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
