On Mon, 12 Dec 2016, Jesse B. Crawford wrote:
Hello,
I have an rsyslog config file on RHEL 7 in which I am attempting to filter on
JSON. To do this, I'm using a RainerScript expression that looks a lot like
this:
if $!_SYSTEMD_UNIT == 'docker.service' then /var/log/docker
I am rather confused about how to deal with JSON parsing since the Docker
logs are not necessarily in CEE format (the Red Hat documentation gives a
template to add the @CEE cookie to journald JSON output, but does not specify
how to 'apply' that template before JSON parsing and I have not been able to
figure this out) - but I'm not even getting that far, as rsyslog is refusing
to start, giving syntax errors on every special character after the 'if' -
errors are logged about unexpected characters for the '$', '!', '_', etc. I
have spent some time rearranging the preceeding statements and making other
changes to try and figure out what might be resulting in this syntax error
and I haven't been able to figure it out.
To perhaps distill my questions here:
1) Why might I be getting a syntax error on the '$' variable name prefix? I
cannot find anything like unmatched quotes etc. before this line.
a couple things I try when running into syntax errors I don't understand
1. try switching single quotes to double quotes (or vice-versa)
insert a statement before the one you think is reporting the error. If the error
message moves to the new line, it probably is on that line, if the error now
points at the new line you inserted, then the problem is earlier than that
rsyslogd -N1 is your friend here.
a good thing to do when you don't understand filtering is to write data out to a
file in debug format
/var/log/debuglog;RSSYLOG_DebugFormat
will do the trick.
2) Is there some way to 'apply' a template to a string as it is being
processed? I ask this because I believe I need to add the @CEE: cookie to
each entry before I have imjsonparse process it, and I have a template to do
this, but imjsonparse does not accept a 'template' argument when called with
action() so I am not sure how to use this template in this case.
no, a template only applies to data that you are sending out.
but if you are getting the data via imjournal, then it's probably already parsed
into the JSON variable, what does the debugformat output look like.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
