I don't really understand what you mean by adding the appropriate quotes to
the rule. They are part of the %msg:rest% at the end.
I've tried again with the single quoted message and I get the following
result:
echo ' 2018-05-04 10:24:16.573 CEST [53] postgres@postgres [local] FATAL:
no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off' | /usr/lib/lognorm/lognormalizer -r
/home/syslog/rules/postgresql.rb
{ "msg": " no pg_hba.conf entry for host \"[local]\", user \"postgres\",
database \"postgres\", SSL off", "severity": "FATAL", "host": "local",
"db": "postgres", "user": "postgres", "pid": "53", "tz": "CEST", "time":
"10:24:16.573", "date": "2018-05-04" }
But there's still nothing in the debug logs:
Debug line with all properties:
FROMHOST: 'sc005827.domain', fromhost-ip: '127.0.0.1', HOSTNAME:
'sc005827.domain', PRI: 155,
syslogtag 'docker_fluance-authenticationdb[1092]:', programname:
'docker_fluance-authenticationdb', APP-NAME:
'docker_fluance-authenticationdb', PROCID: '1092', MSGID: '-',
TIMESTAMP: 'May 4 10:24:16', STRUCTURED-DATA: '-',
msg: ' 2018-05-04 10:24:16.573 CEST [53] postgres@postgres [local] FATAL:
no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off'
escaped msg: ' 2018-05-04 10:24:16.573 CEST [53] postgres@postgres [local]
FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
"postgres", SSL off'
inputname: imuxsock rawmsg: '<155>May 4 10:24:16
docker_fluance-authenticationdb[1092]: 2018-05-04 10:24:16.573 CEST [53]
postgres@postgres [local] FATAL: no pg_hba.conf entry for host "[local]",
user "postgres", database "postgres", SSL off'
$!:
$.:
$/:
On Thu, May 3, 2018 at 11:38 PM, David Lang <[email protected]> wrote:
> your ruleset doesn't have quotes in it.
>
> the way you are echoing it with the wrong quotes is causing things to not
> work as expected. the line that you are actually processing is:
>
> 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] FATAL:
> no pg_hba.conf entry for host [local], user postgres, database postgres,
> SSL off
>
> while what is being sent is actually:
>
> 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local] FATAL:
> no pg_hba.conf entry for host "[local]", user "postgres", database
> "postgres", SSL off
>
> add the appropriate quotes to your rule and it should work properly
>
> David Lang
>
> On Thu, 3 May 2018, Flo Rance wrote:
>
> Date: Thu, 3 May 2018 11:13:02 +0200
>> From: Flo Rance <[email protected]>
>> To: David Lang <[email protected]>
>> Cc: Rainer Gerhards <[email protected]>,
>> rsyslog-users <[email protected]>
>> Subject: Re: [rsyslog] Filter on priority from docker
>>
>> Here's the rule that is applied:
>>
>> rule=: %date:date-iso% %time:word% %tz:word% [%pid:char-to:\x5d%]
>> %user:char-to:\x40%@%db:word% [%host:char-to:\x5d%]
>> %severity:char-to:\x3a%: %msg:rest%
>>
>> Here's the output of the lognormalizer utility:
>>
>> echo " 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
>> FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
>> "postgres", SSL off" | /usr/lib/lognorm/lognormalizer -r
>> /home/syslog/rules/postgresql.rb
>> { "msg": " no pg_hba.conf entry for host [local], user postgres, database
>> postgres, SSL off", "severity": "FATAL", "host": "local", "db":
>> "postgres",
>> "user": "postgres", "pid": "24873", "tz": "CEST", "time": "11:04:20.201",
>> "date": "2018-05-03" }
>>
>> and finally the output of rsyslog debug:
>>
>> Debug line with all properties:
>> FROMHOST: 'sc006692.domain', fromhost-ip: '127.0.0.1', HOSTNAME:
>> 'sc006692.domain', PRI: 155,
>> syslogtag 'docker_fluance-ehealthdb[1116]:', programname:
>> 'docker_fluance-ehealthdb', APP-NAME: 'docker_fluance-ehealthdb', PROCID:
>> '1116', MSGID: '-',
>> TIMESTAMP: 'May 3 11:04:20', STRUCTURED-DATA: '-',
>> msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres [local]
>> FATAL: no pg_hba.conf entry for host "[local]", user "postgres", database
>> "postgres", SSL off'
>> escaped msg: ' 2018-05-03 11:04:20.201 CEST [24873] postgres@postgres
>> [local] FATAL: no pg_hba.conf entry for host "[local]", user "postgres",
>> database "postgres", SSL off'
>> inputname: imuxsock rawmsg: '<155>May 3 11:04:20
>> docker_fluance-ehealthdb[1116]: 2018-05-03 11:04:20.201 CEST [24873]
>> postgres@postgres [local] FATAL: no pg_hba.conf entry for host
>> "[local]",
>> user "postgres", database "postgres", SSL off'
>> $!:
>> $.:
>> $/:
>>
>> On Wed, May 2, 2018 at 11:20 PM, David Lang <[email protected]> wrote:
>>
>> Please post your rulebase and the output from RSYSLOG_DebugFormat so that
>>> we can look at a message that should be matched and what the ruleset for
>>> the match is.
>>>
>>> Odds are that there is something different in the message than you think
>>> it is, so your rule doesn't actually match.
>>>
>>>
>>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
