On Thu, 1 Dec 2016, Swartz, Patrick wrote:
Hello,
Confession... I'm still learning rsyslog after many years of working with
syslog-ng. I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to
capture my ESXi host logs.
Here is my current filter for those:
cat /etc/rsyslog.d/ESXi.conf
template(name="ESXi_app" type="string"
string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $hostname startswith ["cdcubde",
"sdcubde",
"sdcubpe",
"cdcubpe",
"cdcubdmz",
"cdcurpe",
"sdcurpe"]
then {
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="ESXi_app")
}
else {
if $programname contains ["Hostd",
"Vpxa",
"xmlns",
"soapenv",
"cdcubpe02"]
then {
action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="ESXi_app")
}
stop }
I added the extra "else/if" because even though the 'startwith' was mostly working, it
wasn't working 100%. And, now even with the extra else/if some messages are still falling through
to my "Unknownl" and I don't understand why.
Example message that is falling through -
cat Unknown/cdcubdmz01.mycompany.com/cdcubdmz01.mycompany.com-2016-12-01.log
2016-12-01T10:01:22.690936-05:00 cdcubdmz01.mycompay.com soapenv: Body><HostImageConfigGetAcceptanceResponse
xmlns='urn:vim25'><returnval>partner</returnval></HostImageConfigGetAcceptanceResponse></soapenv:Body></soapenv:Envelope>
I'm using different configs in /etc/rsyslog.d/ for the different filters
(ESXi, FireEye, PaloAlto, etc), then my Unknown filter is in the
/etc/rsyslog.conf file. Is that approach wrong?
From my rsyslog.conf:
template(name="Unknown" type="string"
string="/var/splunk-syslog/Unknown/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="Unknown")
Any help would be greatly appreciated.
Whenever a filter isn't working as expected, the first thing to do is to look at
what the data actually is that you are filtering against 99% of the time the
problem is that the variable doesn't contain what you expect it to.
in your 'unknown' section, log the data with the template RSYSLOG_DebugFormat to
a file and look at what it's writing.
Or, since you are just looking at hostname, you could make a custom template
that just lists that, say '%hostname% -- %rawmsg%\n'
odds are really good that you will see the problems at that point. It may raise
the question of 'why did it get parsed that way', but that's where logging
rawmsg is so useful.
RSYSLOG_DebugFormat shows all the properties.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.