Re: [rsyslog] How can I use high precision forwarding format, but still preserve the Postfix process name in forwarded messages?

Sat, 12 Aug 2017 22:05:21 -0700 

On 8/8/2017 1:10 PM, rsyslog-users-lists.adiscon....@whyaskwhy.org wrote:

On 8/8/17 2:30 AM, Rainer Gerhards wrote:

>>
Check what APP-NAME, PROCID and MSGID contain, which are derived from the tag. 

RFC5424 tells you where these parts are to be placed in the header.




It appears that this lack of a colon is confusing pflogsumm when the 
daily
cron job calls this script to generate a daily report of the mail 
activity

recorded on our central rsyslog instance.



that would indicated that pflogsumm does not properly handle RFC5424 
message.


HTH
Rainer


Thank you for your feedback, I appreciate you taking the time to respond.


When I enable debug logging I see that the colon is nowhere to be seen 
in 'programname' or 'APP-NAME' when in any of the forwarding formats 
(which I understand to be the norm), but is present in the syslogtag 
property for Traditional and Forward formats, not present for the 
Protocol23 forwarding format.



# RSYSLOG_TraditionalForwardFormat:

syslogtag 'postfix/qmgr[29132]:', programname: 'postfix/qmgr', APP-NAME: 
'postfix/qmgr', PROCID: '29132', MSGID: '-',



# RSYSLOG_ForwardFormat:

syslogtag 'postfix/qmgr[29132]:', programname: 'postfix/qmgr', APP-NAME: 
'postfix/qmgr', PROCID: '29132', MSGID: '-',



# RSYSLOG_SyslogProtocol23Format:

syslogtag 'postfix/qmgr[29132]', programname: 'postfix/qmgr', APP-NAME: 
'postfix/qmgr', PROCID: '29132', MSGID: '-',



When rsyslog saves a stream of Protocol23 formatted messages to disk, I 
assumed that the RSYSLOG_FileFormat template would source the syslogtag 
property and save that entire value to disk as-is. Does something else 
happen instead?


If I can provide further information, please let me know.

Thanks.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to