Re: [rsyslog] Filter on priority from docker

Thu, 03 May 2018 02:13:54 -0700 

Here's the rule that is applied:

rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%]
%user:char-to:\x40%@%db:word% [%host:char-to:\x5d%]
%severity:char-to:\x3a%: %msg:rest%

Here's the output of the lognormalizer utility:

 echo " 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL:  no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off" | /usr/lib/lognorm/lognormalizer -r
/home/syslog/rules/postgresql.rb
{ "msg": " no pg_hba.conf entry for host [local], user postgres, database
postgres, SSL off", "severity": "FATAL", "host": "local", "db": "postgres",
"user": "postgres", "pid": "24873", "tz": "CEST", "time": "11:04:20.201",
"date": "2018-05-03" }

and finally the output of rsyslog debug:

Debug line with all properties:
FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME:
'sc006692.domain', PRI: 155,
syslogtag 'docker_fluance-ehealthdb[1116]:', programname:
'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID:
'1116', MSGID: '-',
TIMESTAMP: 'May  3 11:04:20', STRUCTURED-DATA: '-',
msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL:  no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off'
escaped msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres
[local] FATAL:  no pg_hba.conf entry for host "[local]", user "postgres",
database "postgres", SSL off'
inputname: imuxsock rawmsg: '<155>May  3 11:04:20
docker_fluance-ehealthdb[1116]: 2018-05-03 11:04:20.201 CEST [24873]
postgres@postgres [local] FATAL:  no pg_hba.conf entry for host "[local]",
user "postgres", database "postgres", SSL off'
$!:
$.:
$/:

On Wed, May 2, 2018 at 11:20 PM, David Lang <[email protected]> wrote:

> Please post your rulebase and the output from RSYSLOG_DebugFormat so that
> we can look at a message that should be matched and what the ruleset for
> the match is.
>
> Odds are that there is something different in the message than you think
> it is, so your rule doesn't actually match.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to