Re: [rsyslog] Using local/global variables in templates

Tue, 20 Mar 2018 20:36:25 -0700 

#
# FILE NAME   : rsyslog-local.conf
#
# DESCRIPTION :
#
#  Configuration for local syslog
################################################################################

$MaxMessageSize 4096

# import logs from journal
$ModLoad imjournal
$imjournalRatelimitInterval 1
$imjournalRatelimitBurst 20000
$imjournalPersistStateInterval 100
$imjournalStateFile /var/lib/rsyslog/imjournal.state

# setting escaping off to make it possible to remove the control characters
$EscapeControlCharactersOnReceive off

# removing the optimization from use (it slows things down)
$OptimizeForUniprocessor off

# Using queue for 20000 messages. After that the messages are dropped instantly
$MainMsgQueueSize 20000
$MainMsgQueueDiscardMark 20000
$MainMsgQueueTimeoutEnqueue 0


$IncludeConfig /etc/rsyslog-local.d/*.conf


In one of the conf files we have the following templates and outchannel defined.

set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME";
template(name="TestFileFormat" type="string" 
string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% 
%syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% 
%syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n")

$outchannel 
testlog,/var/log/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate 
/var/log/testlog

In Another conf file we have the RULE to forward events to Remote Syslog 
Server. For the sake of discussion i have updated the RULE to log to a file 
(/var/log/testlog) on the disk.

set $.configuredSeverity = 6;
#For Audit and Auth logs severity is fixed as 'info'
if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit('  ) and  
$programname == 'audispd' ) or ($syslogfacility-text == 'auth' or 
$syslogfacility-text == 'authpriv' ) or ($msg contains '|Audit|' ) and 
$syslogseverity != $!configuredSeverity)
then
{
        :omfile:$testlog;TestFileFormat
        stop
}

In another conf file we have the following rule.
*.warn :omfile:$syslog_log;FileFormat


If one sample works, then i can extend it to others.


Thanks and Regards

Lak.


________________________________
From: Rainer Gerhards <[email protected]>
Sent: Tuesday, March 20, 2018 11:17 AM
To: putcha narayana
Cc: rsyslog-users
Subject: Re: [rsyslog] Using local/global variables in templates

Is that really your complete config? No inputs, no other rules, no nothing?

Rainer

2018-03-20 11:34 GMT+01:00 putcha narayana 
<[email protected]<mailto:[email protected]>>:

Hi,


I am sorry. I did not see/find that message for some strange reason in the 
previous response.


set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME";
template(name="TestFileFormat" type="string" 
string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% 
%syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% 
%syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n")

$outchannel 
testlog,/var/log/vmlogs/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate 
/var/log/vmlogs/testlog


set $.configuredSeverity = 6;
#For Audit and Auth logs severity is fixed as 'info'
if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit('  ) and  
$programname == 'audispd' ) or ($syslogfacility-text == 'auth' or 
$syslogfacility-text == 'authpriv' ) or ($msg contains '|wlcAudit|' or $msg 
contains '|guiAudit|' or $msg contains '|apAudit|') and $syslogseverity != 
$!configuredSeverity)
then
{
        :omfile:$testlog;TestFileFormat
        stop
}


Appreciate your help,

Thanks and Regards

Lak.


________________________________
From: Rainer Gerhards 
<[email protected]<mailto:[email protected]>>
Sent: Tuesday, March 20, 2018 9:43 AM
To: putcha narayana
Cc: rsyslog-users

Subject: Re: [rsyslog] Using local/global variables in templates

as I said:  We need your full config to help.

Rainer

2018-03-20 5:50 GMT+01:00 putcha narayana 
<[email protected]<mailto:[email protected]>>:

Hi,


Gentle Reminder. Appreciate your help in resolving this request.


Thanks in advance,

Lak.


________________________________
From: rsyslog 
<[email protected]<mailto:[email protected]>> 
on behalf of putcha narayana via rsyslog 
<[email protected]<mailto:[email protected]>>
Sent: Sunday, March 18, 2018 3:27 AM
To: Rainer Gerhards; rsyslog-users

Cc: putcha narayana
Subject: Re: [rsyslog] Using local/global variables in templates

Hi,


Rainer, Appreciate your response. I tried your advise using FileFormat template 
as show below but the HOSTNAME is blank in the output.


set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME";
template(name="TestFileFormat" type="string" 
string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% 
%syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% 
%syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n")


Output:

2018-03-16T12:32:57.159690+05:30.159690 info TESTPROCESS[1200]: Testing 
templates Using a Variable.


I am missing something basic here. Please share your inputs.


Thanks and Regards

Lak.

________________________________
From: Rainer Gerhards 
<[email protected]<mailto:[email protected]>>
Sent: Thursday, March 15, 2018 8:14 AM
To: rsyslog-users
Cc: putcha narayana
Subject: Re: [rsyslog] Using local/global variables in templates

template(name="ForwardFormat" type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339%
%$.MYCUSTOMIZEDHOSTNAME%%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n")

HTH
Rainer

2018-03-15 5:31 GMT+01:00 putcha narayana via rsyslog
<[email protected]<mailto:[email protected]>>:
> Hi,
>
>
> I have defined the templates (enclosed at the end of the mail) for logging 
> locally into a file and to forward to remote syslog server.
>
>
> Question: For the "ForwardFormat" Template can we replace %HOSTNAME% with a 
> variable.
>
>
> I am able to replace it with a fixed string. i.e., Replacing %HOSTNAME% with 
> MYCUSTOMIZEDHOSTNAME will have the MYCUSTOMIZEDHOSTNAME in the logs sent to 
> remote syslog server. I used $MYCUSTOMIZEDHOSTNAME but the output log as 
> $MYCUSTOMIZEDHOSTNAME
>
>
> Can we replace MYCUSTOMIZEDHOSTNAME with a Variable $.MYCUSTOMIZEDHOSTNAME or 
> $@MYCUSTOMIZEDHOSTNAME, assign a value to it, use it in the template such 
> that the value of the variable will be seen in logs.
>
>
> Templates:
>
> template(name="FileFormat" type="string" 
> string="%timereported:::date-rfc3164%.%timereported:::date-subseconds% 
> %syslogseverity-text% %HOSTNAME:F,46:1:uppercase% 
> %syslogtag:R,ERE,1,FIELD:^(.*):--end%:%msg:::sp-if-no-1st-sp%%msg:::drop-cc%\n")
>
>
> template(name="ForwardFormat" type="string" 
> string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% 
> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n")
>
>
>
> Modified Template:
>
> template(name="ForwardFormat" type="string" 
> string="<%PRI%>%TIMESTAMP:::date-rfc3339%  $MYCUSTOMIZEDHOSTNAME 
> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n")
>
>
> Output:
>
> 2018-03-15T09:37:07.902786+05:30.902786 info $MYCUSTOMIZEDHOSTNAME  
> TESTPROCESS[1200]: Testing templates Using a Variable.
>
>
> Note: I don't want to set "$LocalHostName yourhostname" because the logs 
> logged to a file on the local disc should have the HOSTNAME.
>
>
> Appreciate your help
>
> Thanks and Regards
>
> Lak.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

rsyslog Info Page - 
lists.adiscon.net<http://lists.adiscon.net/mailman/listinfo/rsyslog>
lists.adiscon.net<http://lists.adiscon.net>
Mailing list for rsyslog users. Used for discussion, questions, suggestions and 
everything else that helps. This is a PUBLIC list that is archived by a myriad 
of sites.




rsyslog Info Page - 
lists.adiscon.net<http://lists.adiscon.net><http://lists.adiscon.net/mailman/listinfo/rsyslog>
lists.adiscon.net<http://lists.adiscon.net>
Mailing list for rsyslog users. Used for discussion, questions, suggestions and 
everything else that helps. This is a PUBLIC list that is archived by a myriad 
of sites.



> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to