Hi
Is there any way to dynamically invoke a ruleset? eg: call $var
(I'm trying to avoid having +200 if statements...
El 25/11/16 a las 14:13, David Lang escribió:
On Fri, 25 Nov 2016, mosto...@gmail.com wrote:
I may be confused about which part is on the sender and which part
is on the receiver.
sender: a bunch of imfiles forwarded using RELP
receiver: receives a JSON with msg=plain/original message, normalize
and extract fields (that should be added to JSON)
each "application" should define his own rules, and sometimes even
transform the JSON after that (seem's that the hard part)
*# Is addMetadata="on" needed in order to use
$!metadata!filename?*
the easiest thing is to try it :-)
I'm going to create an issue for double checking...can't handle this
while editing documentation!
adding fields you may be able to do with the ammend= capabilities in
the ruleset
if you don't want a field to be reported, give it the name '-' in
the ruleset.
unfortunantly, you can't rename fields or copy fields in the ruleset.
So: each application having one .conf file copied to rsyslog.d/ with
the required steps it's the only way? Perhaps something like:
*app1.conf*
if $!group == "group" and $!app == "app1" then {
# and here's an example on when to use inline rules
# https://github.com/rsyslog/rsyslog/issues/625
# an inline rule here will make it possible to have
# just 1 config file per app, instead of 2
action(type="mmnormalize" rulebase=:/rule-for-app1.fb")
if $parsesuccess then {
# do additional steps, transforms and whatever you want
# call foo
}
call index
stop
}
it's better to have a single ruleset that does the parsing once, and
then calls a 'perapp' ruleset that is something like
ruleset(name="perapp"){
include /etc/rsyslog.d/apps/*
}
and in /etc/rsyslog.d/apps/ you have per app files that have the
per-app if statement and any manipulation needed
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.