Apologies for the delay. I am waiting for a setup where i can collect the debug log. All the current test instances are in use. I will revert once I collect the required logs.
Thanks and Regards Lak. ________________________________ From: Rainer Gerhards <[email protected]> Sent: Wednesday, March 21, 2018 5:58 AM To: putcha narayana Cc: rsyslog-users Subject: Re: [rsyslog] Using local/global variables in templates ok, still partial config... My guess is that some of your config prevent the set to happen. Let's try to debug this differently. Please create a debug log and post the FULL output (e.g. via pastbin or a similar service). You should do a startup of rsyslog and ensure that at least one of the messages in question is being processed, so that I can see both the full config and the processing flow inside the debug log. Instructions for debug log: https://www.rsyslog.com/doc/v8-stable/troubleshooting/troubleshoot.html#debug-log [http://www.rsyslog.com/files/2018/02/logo7-1.png]<https://www.rsyslog.com/doc/v8-stable/troubleshooting/troubleshoot.html#debug-log> troubleshooting problems — rsyslog 8.33.1 documentation<https://www.rsyslog.com/doc/v8-stable/troubleshooting/troubleshoot.html#debug-log> www.rsyslog.com troubleshooting problems¶ Having trouble with rsyslog? This page provides some tips on where to look for help and what to do if you need to ask for assistance. Rainer 2018-03-21 4:36 GMT+01:00 putcha narayana <[email protected]<mailto:[email protected]>>: # # FILE NAME : rsyslog-local.conf # # DESCRIPTION : # # Configuration for local syslog ################################################################################ $MaxMessageSize 4096 # import logs from journal $ModLoad imjournal $imjournalRatelimitInterval 1 $imjournalRatelimitBurst 20000 $imjournalPersistStateInterval 100 $imjournalStateFile /var/lib/rsyslog/imjournal.state # setting escaping off to make it possible to remove the control characters $EscapeControlCharactersOnReceive off # removing the optimization from use (it slows things down) $OptimizeForUniprocessor off # Using queue for 20000 messages. After that the messages are dropped instantly $MainMsgQueueSize 20000 $MainMsgQueueDiscardMark 20000 $MainMsgQueueTimeoutEnqueue 0 $IncludeConfig /etc/rsyslog-local.d/*.conf In one of the conf files we have the following templates and outchannel defined. set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; template(name="TestFileFormat" type="string" string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% %syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") $outchannel testlog,/var/log/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate /var/log/testlog In Another conf file we have the RULE to forward events to Remote Syslog Server. For the sake of discussion i have updated the RULE to log to a file (/var/log/testlog) on the disk. set $.configuredSeverity = 6; #For Audit and Auth logs severity is fixed as 'info' if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit(' ) and $programname == 'audispd' ) or ($syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' ) or ($msg contains '|Audit|' ) and $syslogseverity != $!configuredSeverity) then { :omfile:$testlog;TestFileFormat stop } In another conf file we have the following rule. *.warn :omfile:$syslog_log;FileFormat If one sample works, then i can extend it to others. Thanks and Regards Lak. ________________________________ From: Rainer Gerhards <[email protected]<mailto:[email protected]>> Sent: Tuesday, March 20, 2018 11:17 AM To: putcha narayana Cc: rsyslog-users Subject: Re: [rsyslog] Using local/global variables in templates Is that really your complete config? No inputs, no other rules, no nothing? Rainer 2018-03-20 11:34 GMT+01:00 putcha narayana <[email protected]<mailto:[email protected]>>: Hi, I am sorry. I did not see/find that message for some strange reason in the previous response. set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; template(name="TestFileFormat" type="string" string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% %syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") $outchannel testlog,/var/log/vmlogs/testlog,2100350156,/opt/vplat/bin/rsyslog-logrotate /var/log/vmlogs/testlog set $.configuredSeverity = 6; #For Audit and Auth logs severity is fixed as 'info' if ( ( ( $msg startswith 'audit(' or $msg contains 'msg=audit(' ) and $programname == 'audispd' ) or ($syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' ) or ($msg contains '|wlcAudit|' or $msg contains '|guiAudit|' or $msg contains '|apAudit|') and $syslogseverity != $!configuredSeverity) then { :omfile:$testlog;TestFileFormat stop } Appreciate your help, Thanks and Regards Lak. ________________________________ From: Rainer Gerhards <[email protected]<mailto:[email protected]>> Sent: Tuesday, March 20, 2018 9:43 AM To: putcha narayana Cc: rsyslog-users Subject: Re: [rsyslog] Using local/global variables in templates as I said: We need your full config to help. Rainer 2018-03-20 5:50 GMT+01:00 putcha narayana <[email protected]<mailto:[email protected]>>: Hi, Gentle Reminder. Appreciate your help in resolving this request. Thanks in advance, Lak. ________________________________ From: rsyslog <[email protected]<mailto:[email protected]>> on behalf of putcha narayana via rsyslog <[email protected]<mailto:[email protected]>> Sent: Sunday, March 18, 2018 3:27 AM To: Rainer Gerhards; rsyslog-users Cc: putcha narayana Subject: Re: [rsyslog] Using local/global variables in templates Hi, Rainer, Appreciate your response. I tried your advise using FileFormat template as show below but the HOSTNAME is blank in the output. set $.MYCUSTOMIZEDHOSTNAME = "TESTHOSTNAME"; template(name="TestFileFormat" type="string" string="%timereported:::date-rfc3339%.%timereported:::date-subseconds% %syslogseverity-text% %$.MYCUSTOMIZEDHOSTNAME% %syslogtag:R,ERE,1,FIELD:^(.*):--end%:%$!msg:::sp-if-no-1st-sp%%$!msg:::drop-cc%\n") Output: 2018-03-16T12:32:57.159690+05:30.159690 info TESTPROCESS[1200]: Testing templates Using a Variable. I am missing something basic here. Please share your inputs. Thanks and Regards Lak. ________________________________ From: Rainer Gerhards <[email protected]<mailto:[email protected]>> Sent: Thursday, March 15, 2018 8:14 AM To: rsyslog-users Cc: putcha narayana Subject: Re: [rsyslog] Using local/global variables in templates template(name="ForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %$.MYCUSTOMIZEDHOSTNAME%%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") HTH Rainer 2018-03-15 5:31 GMT+01:00 putcha narayana via rsyslog <[email protected]<mailto:[email protected]>>: > Hi, > > > I have defined the templates (enclosed at the end of the mail) for logging > locally into a file and to forward to remote syslog server. > > > Question: For the "ForwardFormat" Template can we replace %HOSTNAME% with a > variable. > > > I am able to replace it with a fixed string. i.e., Replacing %HOSTNAME% with > MYCUSTOMIZEDHOSTNAME will have the MYCUSTOMIZEDHOSTNAME in the logs sent to > remote syslog server. I used $MYCUSTOMIZEDHOSTNAME but the output log as > $MYCUSTOMIZEDHOSTNAME > > > Can we replace MYCUSTOMIZEDHOSTNAME with a Variable $.MYCUSTOMIZEDHOSTNAME or > $@MYCUSTOMIZEDHOSTNAME, assign a value to it, use it in the template such > that the value of the variable will be seen in logs. > > > Templates: > > template(name="FileFormat" type="string" > string="%timereported:::date-rfc3164%.%timereported:::date-subseconds% > %syslogseverity-text% %HOSTNAME:F,46:1:uppercase% > %syslogtag:R,ERE,1,FIELD:^(.*):--end%:%msg:::sp-if-no-1st-sp%%msg:::drop-cc%\n") > > > template(name="ForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") > > > > Modified Template: > > template(name="ForwardFormat" type="string" > string="<%PRI%>%TIMESTAMP:::date-rfc3339% $MYCUSTOMIZEDHOSTNAME > %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") > > > Output: > > 2018-03-15T09:37:07.902786+05:30.902786 info $MYCUSTOMIZEDHOSTNAME > TESTPROCESS[1200]: Testing templates Using a Variable. > > > Note: I don't want to set "$LocalHostName yourhostname" because the logs > logged to a file on the local disc should have the HOSTNAME. > > > Appreciate your help > > Thanks and Regards > > Lak. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog rsyslog Info Page - lists.adiscon.net<http://lists.adiscon.net/mailman/listinfo/rsyslog> lists.adiscon.net<http://lists.adiscon.net> Mailing list for rsyslog users. Used for discussion, questions, suggestions and everything else that helps. This is a PUBLIC list that is archived by a myriad of sites. rsyslog Info Page - lists.adiscon.net<http://lists.adiscon.net><http://lists.adiscon.net/mailman/listinfo/rsyslog> lists.adiscon.net<http://lists.adiscon.net> Mailing list for rsyslog users. Used for discussion, questions, suggestions and everything else that helps. This is a PUBLIC list that is archived by a myriad of sites. > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
