Hell David,
Thanks for the answer, more or less I did what you recommend, but without
mmnormalize (basically I couldn't find enough information to make it work)
and a hackier way
I created templates based on RSYSLOG_SyslogProtocol23Format (just changing
the PRI value)
template(name="Protocol23DEBUG"
> type="string"
>
> string= "<159>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME%
> %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA%
> %msg%\n"
>
>
> )
>
>
>
> template(name="Protocol23INFO"
> type="string"
>
> string= "<158>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME%
> %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA%
> %msg%\n"
>
>
> )
>
>
>
>
>
> template(name="Protocol23WARN"
> type="string"
>
> string= "<156>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME%
> %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA%
> %msg%\n"
>
> )
>
And then do the conditional sending with
if $msg contains 'INFO' then {
> local3.* @@192.168.1.10:514;Protocol23INFO
> } else if $msg contains 'DEBUG' then {
> local3.* @@192.168.1.10:514;Protocol23DEBUG
> } else if $msg contains 'WARN' then {
> local3.* @@192.168.1.10:514;Protocol23WARN
> } else {
> local3.* @@192.168.1.10:514;RSYSLOG_SyslogProtocol23Format
> }
>
Any pointers on doing this with a single template?
2016-03-23 0:44 GMT+01:00 David Lang <[email protected]>:
> On Fri, 11 Mar 2016, Joan wrote:
>
> I have some files generated by java and written into logfiles by log4j that
>> I want to stream to graylog, I'd rather choose syslog with rfc5424 if
>> possible.
>> The files are like this
>>
>> ------------------------------------------------------------------
>> 2016-03-10 07:01:09,778 INFO [taskname] long description 1
>> 2016-03-10 07:01:09,784 DEBUG [taskname] long description 2
>> ------------------------------------------------------------------
>>
>>
>> Currently I am using imfile to forward the logs and its working quite
>> nicely
>> ------------------------------------------------------------------
>> module(load="imfile"
>>
>>
>> mode="inotify"
>>
>> )
>>
>>
>>
>> input(type="imfile"
>>
>>
>> File="/opt/project/log/*.log"
>>
>> Tag="taskproject:"
>> Facility="local3"
>> )
>>
>> #Make data available on server reboot
>> $ActionQueueFileName reenviador
>> $ActionResumeRetryCount -1
>> $ActionQueueSaveOnShutdown on
>>
>> #Proper microsecond format
>> local3.* @@192.168.1.136:514;RSYSLOG_SyslogProtocol23Format
>> ------------------------------------------------------------------
>>
>> The only issue, is that I'd like to have the severity set into the
>> forwarded logs and stripped from the log being sent, I've had a look into
>> mmnormalize, but I'm not sure it applies to the syslog format (I've seen
>> mostly json related examples)
>>
>
> There's not an easy way to do this.
>
> You could use mmnormalize to parse the fields and then either a series of
> if statements or a table lookup to convert the string to a number, and then
> do calculations to compute the new PRI value and use that value in a custom
> template when you forward the message.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
