Re: [rsyslog] filters question

David Lang Fri, 02 Dec 2016 09:55:15 -0800

are you sure there are no other errors in your config? do rsyslogd -N1 and checkfor any errors. Once you have errors in the config all best are off


David Lang


On Fri, 2 Dec 2016, Swartz, Patrick wrote:

Date: Fri, 2 Dec 2016 14:40:05 +0000
From: "Swartz, Patrick" <patrick.swa...@tyson.com>
Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] filters question

Okay... I've made some changes to my configs using the output from the debug.  I'm now 
using "fromhost_ip ==" and statically listing every possible IP in the array, 
and still some messages are falling through to my Unclassified.
Probably better to show than to try and explain...

From /etc/rsyslogd.conf:
### for debug
*.* /var/splunk-syslog/msgdebug.log;RSYSLOG_DebugFormat

From debug file:
Debug line with all properties:
FROMHOST: 'sdcubpe08.mycompany.com', fromhost-ip: '100.20.20.218', HOSTNAME: 
'sdcubpe08.mycompany.com', PRI: 167,
syslogtag 'Vpxa:', programname: 'Vpxa', APP-NAME: 'Vpxa', PROCID: '-', MSGID: 
'-',
TIMESTAMP: 'Dec  2 14:20:09', STRUCTURED-DATA: '-',
msg: ' verbose vpxa[2ACE2B70] [Originator@6876 sub=halservices 
opID=WFU-32dbe2e3] [VpxaHalServices] HostChanged Event Fired, properties 
changed [runtime.healthSystemRuntime]'
escaped msg: ' verbose vpxa[2ACE2B70] [Originator@6876 sub=halservices 
opID=WFU-32dbe2e3] [VpxaHalServices] HostChanged Event Fired, properties 
changed [runtime.healthSystemRuntime]'
inputname: imtcp rawmsg: '<167>2016-12-02T14:20:09.131Z sdcubpe08.mycompany.com 
Vpxa: verbose vpxa[2ACE2B70] [Originator@6876 sub=halservices opID=WFU-32dbe2e3] 
[VpxaHalServices] HostChanged Event Fired, properties changed 
[runtime.healthSystemRuntime]'
$!:
$.:
$/:

From my /etc/rsyslog.d/ESXi.conf
template(name="ESXi_app" type="string" 
string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $fromhost-ip == ["100.31.20.101",
                   "100.31.20.102",
                   "100.20.20.218"]        ######### I've shortened the list 
here for list clarity #####
then {
        action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app")
stop }

Is there a "priority" in how rsyslog reads/merges/loads the different configs 
between the main config (/etc/rsyslog.conf) and the others like /etc/rsyslog.d/ESXi.conf?

One other oddity kinda/sorta related.  Messages like these keep writing to the 
terminal:
Message from sysl...@sdcurpe02.mycompany.com at Dec  2 09:34:53 ...
localcli: libsmartsata: Not an ATA SMART 
device:naa.600507680c82811eb80000000000006a

Message from sysl...@sdcurpe02.mycompany.com at Dec  2 09:34:54 ...
localcli: libsmartsata: Not an ATA SMART 
device:naa.600507680c82811eb80000000000006b

Patrick Swartz

-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, December 01, 2016 3:20 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] filters question

On Thu, 1 Dec 2016, Swartz, Patrick wrote:

Hello,
Confession... I'm still learning rsyslog after many years of working with 
syslog-ng.  I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to 
capture my ESXi host logs.

Here is my current filter for those:

cat /etc/rsyslog.d/ESXi.conf

template(name="ESXi_app" type="string"
string="/var/splunk-syslog/ESXi/%FROMHOST%/%FROMHOST%-%$NOW%.log")
if $hostname startswith ["cdcubde",
                   "sdcubde",
                   "sdcubpe",
                   "cdcubpe",
                   "cdcubdmz",
                   "cdcurpe",
                   "sdcurpe"]
  then {
        action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app")
       }
else {
if $programname contains ["Hostd",
                   "Vpxa",
                   "xmlns",
                   "soapenv",
                   "cdcubpe02"]
  then {
       action(type="omfile" dirCreateMode="0755" FileCreateMode="0644" 
dynaFile="ESXi_app")
       }
stop }

I added the extra "else/if" because even though the 'startwith' was mostly working, it 
wasn't working 100%.  And, now even with the extra else/if some messages are still falling through 
to my "Unknownl" and I don't understand why.

Example message that is falling through -

cat
Unknown/cdcubdmz01.mycompany.com/cdcubdmz01.mycompany.com-2016-12-01.l
og
2016-12-01T10:01:22.690936-05:00 cdcubdmz01.mycompay.com soapenv:
Body><HostImageConfigGetAcceptanceResponse
xmlns='urn:vim25'><returnval>partner</returnval></HostImageConfigGetAc
ceptanceResponse></soapenv:Body></soapenv:Envelope>

I'm using different configs in /etc/rsyslog.d/  for the different filters 
(ESXi, FireEye, PaloAlto, etc), then my Unknown filter is in the 
/etc/rsyslog.conf file.  Is that approach wrong?

From my rsyslog.conf:
template(name="Unknown" type="string"
string="/var/splunk-syslog/Unknown/%HOSTNAME%/%FROMHOST%-%$NOW%.log")
*.* action(type="omfile" dirCreateMode="0755" FileCreateMode="0644"
dynaFile="Unknown")

Any help would be greatly appreciated.


Whenever a filter isn't working as expected, the first thing to do is to look 
at what the data actually is that you are filtering against 99% of the time the 
problem is that the variable doesn't contain what you expect it to.

in your 'unknown' section, log the data with the template RSYSLOG_DebugFormat 
to a file and look at what it's writing.

Or, since you are just looking at hostname, you could make a custom template 
that just lists that, say '%hostname% -- %rawmsg%\n'

odds are really good that you will see the problems at that point. It may raise 
the question of 'why did it get parsed that way', but that's where logging 
rawmsg is so useful.

RSYSLOG_DebugFormat shows all the properties.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

----------------------------------------------------------------------
This email and any files transmitted with it are confidential and intended 
solely for the use of the addressee. If you are not the intended addressee, 
then you have received this email in error and any use, dissemination, 
forwarding, printing, or copying of this email is strictly prohibited. Please 
notify us immediately of your unintended receipt by reply and then delete this 
email and your reply. Tyson Foods, Inc. and its subsidiaries and affiliates 
will not be held liable to any person resulting from the unintended or 
unauthorized use of any information contained in this email or as a result of 
any additions or deletions of information originally contained in this email.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] filters question

Reply via email to