I'm trying to use RFC 5424 formatted messages so I can filter on the
fields. For example, I would like to do:
:APP-NAME, isequal, "alex" /var/log/alex.log
I'm having some difficulty getting this to work on my version of rsyslog
(7.4.4 on the one machine I tested and 8.4.2 on the other). I'm testing by
doing:
echo '<30>1 - - alex - - - msg1' | socat - UNIX-CLIENT:/dev/log
When I run this, I expect the message to be sent to /var/log/alex.log and
instead, nothing happens. I followed some of the steps on the
troubleshooting page and run with debug messages enabled and saw:
1596.600920706:main Q:Reg/w0 : Action 2 transitioned to state: itx
1596.600924863:main Q:Reg/w0 : PROPFILT
1596.600931319:main Q:Reg/w0 : Property.: 'app-name'
1596.600938289:main Q:Reg/w0 : Operation: 'isequal'
1596.600944930:main Q:Reg/w0 : Value....: 'alex'
1596.600950480:main Q:Reg/w0 : Filter: check for property 'app-name'
(value '1') isequal 'alex': FALSE
I'm a little surprised that app-name has the value 1 -- it looks like the
message wasn't parsed as an RFC 5424 message. Corroborating that theory is
the observation that the I don't see the message "Message has
RFC5424/syslog-protocol
format" from the DBGPRINTF in tools/pmrfc5424.c.
This is strange to me -- I believe that message to be formatted correctly
and the rfc5424 parser to be loaded (I see "2275.985322182:main thread :
Parser 'rsyslog.rfc5424' added to default parser set" in the output)
Am I missing something obvious? How do I learn more about what is going on?
Best,
~Alex Reece
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
