ok, still partial config... My guess is that some of your config prevent the set to happen. Let's try to debug this differently. Please create a debug log and post the FULL output (e.g. via pastbin or a similar service). You should do a startup of rsyslog and ensure that at least one of the messages in question is being processed, so that I can see both the full config and the processing flow inside the debug log.
Instructions for debug log: https://www.rsyslog.com/doc/v8-stable/troubleshooting/troubleshoot.html#debug-log Rainer 2018-03-21 4:36 GMT+01:00 putcha narayana <[email protected]>: > # > # FILE NAME : rsyslog-local.conf > # > # DESCRIPTION : > # > # Configuration for local syslog > ############################################################ > #################### > > > $MaxMessageSize 4096 > > # import logs from journal > $ModLoad imjournal > $imjournalRatelimitInterval 1 > $imjournalRatelimitBurst 20000 > $imjournalPersistStateInterval 100 > $imjournalStateFile /var/lib/rsyslog/imjournal.state > > # setting escaping off to make it possible to remove the control characters > $EscapeControlCharactersOnReceive off > > # removing the optimization from use (it slows things down) > $OptimizeForUniprocessor off > > # Using queue for 20000 messages. After that the messages are dropped > instantly > $MainMsgQueueSize 20000 > $MainMsgQueueDiscardMark 20000 > $MainMsgQueueTimeoutEnqueue 0 > > > $IncludeConfig /etc/rsyslog-local.d/*.conf > > > *In one of the conf files we have the following templates and outchannel > defined.* > > set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; > template(name="TestFileFormat" type="string" string="%timereported:::date-r > fc3339%.%timereported:::date-subseconds% %syslogseverity-text% > %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*) > :--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") > > $outchannel > testlog,/var/log/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate > /var/log/testlog > > *In Another conf file we have the RULE to forward events to Remote Syslog > Server. For the sake of discussion i have updated the RULE to log to a file > (/var/log/testlog) on the disk. * > > set $.configuredSeverity = 6; > #For Audit and Auth logs severity is fixed as 'info' > if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit(' ) and > $programname == 'audispd' ) or ($syslogfacility-text == 'auth' or > $syslogfacility-text == 'authpriv' ) or ($msg contains '|Audit|' ) and > $syslogseverity != $!configuredSeverity) > then > { > :omfile:$testlog;TestFileFormat > stop > } > > *In another conf file we have the following rule. * > *.warn :omfile:$syslog_log;FileFormat > > > If one sample works, then i can extend it to others. > > > Thanks and Regards > > Lak. > > > > ------------------------------ > *From:* Rainer Gerhards <[email protected]> > *Sent:* Tuesday, March 20, 2018 11:17 AM > > *To:* putcha narayana > *Cc:* rsyslog-users > *Subject:* Re: [rsyslog] Using local/global variables in templates > > Is that really your complete config? No inputs, no other rules, no > nothing? > > Rainer > > 2018-03-20 11:34 GMT+01:00 putcha narayana <[email protected]>: > > Hi, > > > I am sorry. I did not see/find that message for some strange reason in the > previous response. > > > set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; > template(name="TestFileFormat" type="string" string="%timereported:::date-r > fc3339%.%timereported:::date-subseconds% %syslogseverity-text% > %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*) > :--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") > > $outchannel > testlog,/var/log/vmlogs/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate > /var/log/vmlogs/testlog > > > set $.configuredSeverity = 6; > #For Audit and Auth logs severity is fixed as 'info' > if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit(' ) and > $programname == 'audispd' ) or ($syslogfacility-text == 'auth' or > $syslogfacility-text == 'authpriv' ) or ($msg contains '|wlcAudit|' or $msg > contains '|guiAudit|' or $msg contains '|apAudit|') and $syslogseverity != > $!configuredSeverity) > then > { > :omfile:$testlog;TestFileFormat > stop > } > > > Appreciate your help, > > Thanks and Regards > > Lak. > > ------------------------------ > *From:* Rainer Gerhards <[email protected]> > *Sent:* Tuesday, March 20, 2018 9:43 AM > *To:* putcha narayana > *Cc:* rsyslog-users > > *Subject:* Re: [rsyslog] Using local/global variables in templates > > as I said: We need your full config to help. > > Rainer > > 2018-03-20 5:50 GMT+01:00 putcha narayana <[email protected]>: > > Hi, > > > Gentle Reminder. Appreciate your help in resolving this request. > > > Thanks in advance, > > Lak. > > ------------------------------ > *From:* rsyslog <[email protected]> on behalf of putcha > narayana via rsyslog <[email protected]> > *Sent:* Sunday, March 18, 2018 3:27 AM > *To:* Rainer Gerhards; rsyslog-users > > *Cc:* putcha narayana > *Subject:* Re: [rsyslog] Using local/global variables in templates > > Hi, > > > Rainer, Appreciate your response. I tried your advise using FileFormat > template as show below but the HOSTNAME is blank in the output. > > > set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; > template(name="TestFileFormat" type="string" string="%timereported:::date-r > fc3339%.%timereported:::date-subseconds% %syslogseverity-text% > %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*) > :--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") > > > Output: > > 2018-03-16T12:32:57.159690+05:30.159690 info TESTPROCESS[1200]: Testing > templates Using a Variable. > > > I am missing something basic here. Please share your inputs. > > > Thanks and Regards > > Lak. > > ________________________________ > From: Rainer Gerhards <[email protected]> > Sent: Thursday, March 15, 2018 8:14 AM > To: rsyslog-users > Cc: putcha narayana > Subject: Re: [rsyslog] Using local/global variables in templates > > template(name="ForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% > %$.MYCUSTOMIZEDHOSTNAME%%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") > > HTH > Rainer > > 2018-03-15 5:31 GMT+01:00 putcha narayana via rsyslog > <[email protected]>: > > Hi, > > > > > > I have defined the templates (enclosed at the end of the mail) for > logging locally into a file and to forward to remote syslog server. > > > > > > Question: For the "ForwardFormat" Template can we replace %HOSTNAME% > with a variable. > > > > > > I am able to replace it with a fixed string. i.e., Replacing %HOSTNAME% > with MYCUSTOMIZEDHOSTNAME will have the MYCUSTOMIZEDHOSTNAME in the logs > sent to remote syslog server. I used $MYCUSTOMIZEDHOSTNAME but the output > log as $MYCUSTOMIZEDHOSTNAME > > > > > > Can we replace MYCUSTOMIZEDHOSTNAME with a Variable > $.MYCUSTOMIZEDHOSTNAME or $@MYCUSTOMIZEDHOSTNAME, assign a value to it, use > it in the template such that the value of the variable will be seen in logs. > > > > > > Templates: > > > > template(name="FileFormat" type="string" string="%timereported:::date-r > fc3164%.%timereported:::date-subseconds% %syslogseverity-text% > %HOSTNAME:F,46:1:uppercase% %syslogtag:R,ERE,1,FIELD:^(.*) > :--end%:%msg:::sp-if-no-1st-sp%%msg:::drop-cc%\n") > > > > > > template(name="ForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") > > > > > > > > Modified Template: > > > > template(name="ForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% $MYCUSTOMIZEDHOSTNAME > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") > > > > > > Output: > > > > 2018-03-15T09:37:07.902786+05:30.902786 info $MYCUSTOMIZEDHOSTNAME > TESTPROCESS[1200]: Testing templates Using a Variable. > > > > > > Note: I don't want to set "$LocalHostName yourhostname" because the logs > logged to a file on the local disc should have the HOSTNAME. > > > > > > Appreciate your help > > > > Thanks and Regards > > > > Lak. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > rsyslog Info Page - lists.adiscon.net > <http://lists.adiscon.net/mailman/listinfo/rsyslog> > lists.adiscon.net > Mailing list for rsyslog users. Used for discussion, questions, > suggestions and everything else that helps. This is a PUBLIC list that is > archived by a myriad of sites. > > > > > rsyslog Info Page - lists.adiscon.net<http://lists > .adiscon.net/mailman/listinfo/rsyslog> > lists.adiscon.net > Mailing list for rsyslog users. Used for discussion, questions, > suggestions and everything else that helps. This is a PUBLIC list that is > archived by a myriad of sites. > > > > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
