your ruleset doesn't have quotes in it.
the way you are echoing it with the wrong quotes is causing things to not work
as expected. the line that you are actually processing is:
2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] FATAL: no
pg_hba.conf entry for host [local], user postgres, database postgres, SSL off
while what is being sent is actually:
2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] FATAL: no pg_hba.conf entry for host
"[local]", user "postgres", database "postgres", SSL off
add the appropriate quotes to your rule and it should work properly
David Lang
On Thu, 3 May 2018, Flo Rance wrote:
Date: Thu, 3 May 2018 11:13:02 +0200
From: Flo Rance <[email protected]>
To: David Lang <[email protected]>
Cc: Rainer Gerhards <[email protected]>,
rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Filter on priority from docker
Here's the rule that is applied:
rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%]
%user:char-to:\x40%@%db:word% [%host:char-to:\x5d%]
%severity:char-to:\x3a%: %msg:rest%
Here's the output of the lognormalizer utility:
echo " 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off" | /usr/lib/lognorm/lognormalizer -r
/home/syslog/rules/postgresql.rb
{ "msg": " no pg_hba.conf entry for host [local], user postgres, database
postgres, SSL off", "severity": "FATAL", "host": "local", "db": "postgres",
"user": "postgres", "pid": "24873", "tz": "CEST", "time": "11:04:20.201",
"date": "2018-05-03" }
and finally the output of rsyslog debug:
Debug line with all properties:
FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME:
'sc006692.domain', PRI: 155,
syslogtag 'docker_fluance-ehealthdb[1116]:', programname:
'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID:
'1116', MSGID: '-',
TIMESTAMP: 'May 3 11:04:20', STRUCTURED-DATA: '-',
msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off'
escaped msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres
[local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres",
database "postgres", SSL off'
inputname: imuxsock rawmsg: '<155>May 3 11:04:20
docker_fluance-ehealthdb[1116]: 2018-05-03 11:04:20.201 CEST [24873]
postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]",
user "postgres", database "postgres", SSL off'
$!:
$.:
$/:
On Wed, May 2, 2018 at 11:20 PM, David Lang <[email protected]> wrote:
Please post your rulebase and the output from RSYSLOG_DebugFormat so that
we can look at a message that should be matched and what the ruleset for
the match is.
Odds are that there is something different in the message than you think
it is, so your rule doesn't actually match.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
