2018-04-26 9:48 GMT+02:00 Flo Rance via rsyslog <[email protected]>: > What do you mean by "not in any standard format" ? > I've explicitely declared the logging driver in docker to be syslog, so I > was expecting to be able to parse the result to extract accurate data in > the fields. > > Can you give me any hints on how I could use mmnormalize to extract the > various fields ?
let's get started with something easier. Please add *.* /var/log/messagedebug;RSYSLOG_DebugFormat to the top of your rsyslog.conf. Let some messages flow. In the new file, you should then see that message together with the decoded properties AND the raw message. Post that entry (~6 lines or so). With that, we know for sure what is going on. Rainer > > > On Wed, Apr 25, 2018 at 7:28 PM, David Lang <[email protected]> wrote: > >> On Wed, 25 Apr 2018, Rainer Gerhards wrote: >> >> 2018-04-25 9:29 GMT+02:00 Flo Rance <[email protected]>: >>> >>>> Ok, but if ".err" means "err and above", why does it forward messages >>>> with >>>> the severity INFO as in the example ? >>>> >>> >>> pls post the raw message - how do you know it is INFO? >>> >> >> in the docker world, the 'standard' is that messages get dumped to stdout, >> not in any standard format, so INFO: in the message body is the indication. >> >> It looks like these logs should be parsed with mmnormalize to extract the >> various fields (potentially as a parser on the input) >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
