Good idea. Here's a typical message that is sent by docker to syslog:
Debug line with all properties: FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME: 'sc006692.domain', PRI: 155, syslogtag 'docker_fluance-ehealthdb[1116]:', programname: 'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID: '1116', MSGID: '-', TIMESTAMP: 'Apr 26 10:22:45', STRUCTURED-DATA: '-', msg: ' 2018-04-26 10:22:45.283 CEST [13518] postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database "postgres", SSL off' escaped msg: ' 2018-04-26 10:22:45.283 CEST [13518] postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database "postgres", SSL off' inputname: imuxsock rawmsg: '<155>Apr 26 10:22:45 docker_fluance-ehealthdb[1116]: 2018-04-26 10:22:45.283 CEST [13518] postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database "postgres", SSL off' $!: $.: $/: On Thu, Apr 26, 2018 at 9:57 AM, Rainer Gerhards <[email protected]> wrote: > 2018-04-26 9:48 GMT+02:00 Flo Rance via rsyslog <[email protected] > >: > > What do you mean by "not in any standard format" ? > > I've explicitely declared the logging driver in docker to be syslog, so I > > was expecting to be able to parse the result to extract accurate data in > > the fields. > > > > Can you give me any hints on how I could use mmnormalize to extract the > > various fields ? > > let's get started with something easier. Please add > > *.* /var/log/messagedebug;RSYSLOG_DebugFormat > > to the top of your rsyslog.conf. Let some messages flow. In the new > file, you should then see that message together with the decoded > properties AND the raw message. Post that entry (~6 lines or so). With > that, we know for sure what is going on. > > Rainer > > > > > > > On Wed, Apr 25, 2018 at 7:28 PM, David Lang <[email protected]> wrote: > > > >> On Wed, 25 Apr 2018, Rainer Gerhards wrote: > >> > >> 2018-04-25 9:29 GMT+02:00 Flo Rance <[email protected]>: > >>> > >>>> Ok, but if ".err" means "err and above", why does it forward messages > >>>> with > >>>> the severity INFO as in the example ? > >>>> > >>> > >>> pls post the raw message - how do you know it is INFO? > >>> > >> > >> in the docker world, the 'standard' is that messages get dumped to > stdout, > >> not in any standard format, so INFO: in the message body is the > indication. > >> > >> It looks like these logs should be parsed with mmnormalize to extract > the > >> various fields (potentially as a parser on the input) > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
