I think a recent version of 8.x gained the ability to use a wildcard.
if some log sources have the timestamp and some don't, you will need to setup a
way to tell which is which and then use either a different template or set a
variable that you will use in the template.
If you only have a few sources you can do if-then rules. If you have a lot then
something like the table lookup functionality that is getting finalized in 8.17
is the way to go.
or you could use mmnormalize to parse the logs to extract the timestamp from the
rest of the message and then decide based on what's parsed.
getting stuff in different, and non-standard formats is not fun to deal with.
look over the documentation for these various options and decide what makes the
most sense for you.
David Lang
On Thu, 18 Feb 2016, Muhammad Asif
wrote:
Date: Thu, 18 Feb 2016 10:36:14 +0500
From: Muhammad Asif <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Messy log file after %timegenerated:1:26:date-rfc3339%
Hi David Sir,
I am sorry for inconvenience. Actually we have a Demo version of event
correlation system. Events of various devices are being generated in
respective log file. Some logs dont have timestamp and some have old
timestamp. I want to send these logs to my remote rsyslog server. I want to
align all these logs in one format.
Secondly, last part of folder name having all these log files changed
periodically. Can i use wildcard on folder.
How can i solve bunch of these issues. Thanks
On Wed, Feb 17, 2016 at 10:02 AM, David Lang <[email protected]> wrote:
If you have stuff sending badly formatted stuff to you, it's a real pain
to fix. you need to try and find some patterns in either the data or the
sources.
you are starting off deciding that you are needing to create a custom
template for the logs, but you haven't explained why you are doing this.
remember, everyone here is a volunteer, we are willing to help, but you
need to be willing to learn, not just dump your problem on us and expect an
answer back.
so you have a bunch of debug output. But since we can't read your mind, we
don't know what you consider good and what you consider bad. Why don't we
step back a minute and first go over your architecture, what are you trying
to do?
David Lang
On Wed, 17 Feb 2016, Muhammad Asif wrote:
Date: Wed, 17 Feb 2016 09:38:18 +0500
From: Muhammad Asif <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Messy log file after
%timegenerated:1:26:date-rfc3339%
Here is the debug output sir.
http://pastebin.com/88y4cdAu
What do you mean by adjust template. You mean add required fields in
template. But in this way I have to create 100 templates for 100 different
log sources. How can I use easy way. I just dont want to add message
timestamp if exist because some messages have timestamp and some not.
Thanks
On Tue, Feb 16, 2016 at 3:35 PM, Rainer Gerhards <
[email protected]>
wrote:
2016-02-16 8:07 GMT+01:00 Muhammad Asif <[email protected]>:
Hi Geeks,
I need to ask two things.
1- When i use following timestamp format, log file turn messy. I mean
all
logs continously with some space. (Not one log in one line)
$template CustomFormat,"<%pri%>%timegenerated:1:27:date-rfc3339%
%syslogtag%%msg%"
$ActionFileDefaultTemplate CustomForma
http://pastebin.com/eh7tTctL
you need to add \n at the end of the template, this is the LF you are
missing.
2- Second, as shown in attached logs, I want to remove timestamps being
attached from devices and attached new by rsyslog and then forward to
remote server. How can i do this.
you need to look at what is in which field (use RSYSLOG_DebugFormat) and
then adjust your template accordingly.
Rainer
Regards
M. Asif
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
