On Thu, 3 May 2018, Flo Rance wrote:
Date: Thu, 3 May 2018 11:13:02 +0200
From: Flo Rance <[email protected]>
To: David Lang <[email protected]>
Cc: Rainer Gerhards <[email protected]>,
rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Filter on priority from docker
Here's the rule that is applied:
rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%]
%user:char-to:\x40%@%db:word% [%host:char-to:\x5d%]
%severity:char-to:\x3a%: %msg:rest%
Here's the output of the lognormalizer utility:
echo " 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off" | /usr/lib/lognorm/lognormalizer -r
/home/syslog/rules/postgresql.rb
{ "msg": " no pg_hba.conf entry for host [local], user postgres, database
postgres, SSL off", "severity": "FATAL", "host": "local", "db": "postgres",
"user": "postgres", "pid": "24873", "tz": "CEST", "time": "11:04:20.201",
"date": "2018-05-03" }
one problem is that you have far too many " characters in your echo, that is not
doing what you think it is. Wrap the message with single quotes ' instead
David Lang
and finally the output of rsyslog debug:
Debug line with all properties:
FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME:
'sc006692.domain', PRI: 155,
syslogtag 'docker_fluance-ehealthdb[1116]:', programname:
'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID:
'1116', MSGID: '-',
TIMESTAMP: 'May 3 11:04:20', STRUCTURED-DATA: '-',
msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off'
escaped msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres
[local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres",
database "postgres", SSL off'
inputname: imuxsock rawmsg: '<155>May 3 11:04:20
docker_fluance-ehealthdb[1116]: 2018-05-03 11:04:20.201 CEST [24873]
postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]",
user "postgres", database "postgres", SSL off'
$!:
$.:
$/:
On Wed, May 2, 2018 at 11:20 PM, David Lang <[email protected]> wrote:
Please post your rulebase and the output from RSYSLOG_DebugFormat so that
we can look at a message that should be matched and what the ruleset for
the match is.
Odds are that there is something different in the message than you think
it is, so your rule doesn't actually match.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
