Sorry, I forgot to specify that I use version 2 in the rule: version=2 rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%] %user:char-to:\x40%@%db:word% [%host:char-to:\x5d%] %severity:char-to:\x3a%: %msg:rest%
On Thu, May 3, 2018 at 11:13 AM, Flo Rance <[email protected]> wrote: > Here's the rule that is applied: > > rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%] > %user:char-to:\x40%@%db:word% [%host:char-to:\x5d%] > %severity:char-to:\x3a%: %msg:rest% > > Here's the output of the lognormalizer utility: > > echo " 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] > FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database > "postgres", SSL off" | /usr/lib/lognorm/lognormalizer -r > /home/syslog/rules/postgresql.rb > { "msg": " no pg_hba.conf entry for host [local], user postgres, database > postgres, SSL off", "severity": "FATAL", "host": "local", "db": "postgres", > "user": "postgres", "pid": "24873", "tz": "CEST", "time": "11:04:20.201", > "date": "2018-05-03" } > > and finally the output of rsyslog debug: > > Debug line with all properties: > FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME: > 'sc006692.domain', PRI: 155, > syslogtag 'docker_fluance-ehealthdb[1116]:', programname: > 'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID: > '1116', MSGID: '-', > TIMESTAMP: 'May 3 11:04:20', STRUCTURED-DATA: '-', > msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] > FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database > "postgres", SSL off' > escaped msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres > [local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres", > database "postgres", SSL off' > inputname: imuxsock rawmsg: '<155>May 3 11:04:20 > docker_fluance-ehealthdb[1116]: 2018-05-03 11:04:20.201 CEST [24873] > postgres@postgres [local] FATAL: no pg_hba.conf entry for host > "[local]", user "postgres", database "postgres", SSL off' > $!: > $.: > $/: > > On Wed, May 2, 2018 at 11:20 PM, David Lang <[email protected]> wrote: > >> Please post your rulebase and the output from RSYSLOG_DebugFormat so that >> we can look at a message that should be matched and what the ruleset for >> the match is. >> >> Odds are that there is something different in the message than you think >> it is, so your rule doesn't actually match. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
