El lun., 26 nov. 2018 a las 19:53, Jason Marshall (<[email protected]>) escribió: > > > Remove all the "date-" in dateformat fields and it'll work as expected. > > e.g. dateformat="year" > > Thanks Flo (and sorry Rainer for opening a can of worms about the docs. > I find they are actually quite good, but the config file syntax changes > are confusing to me as someone who is exposed to the variations only when > something has broken :) > > Unfortunately, this suggestion from Flo does not seem to have fixed it, > though it did change the behavior in debug mode. > > Now it doesn't complain about the dateformat lines, but further down in > the debug I get this obscure error-looking thing for each of the > dateformats. It seems fine with the literals in between each of them, and > it does appear to understand what I'm talking when I say year vs > date-year, elsewhere in the debug output. > > 6186.270894269:main thread : Template: Name='local1template' > 6186.270911262:main thread : Entry(558fe8bf95b0): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 9] > 6186.270957237:main thread : Entry(558fe8bf9380): type 1, > (CONSTANT), value: '-' > 6186.270994908:main thread : Entry(558fe8bf9480): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 10] > 6186.271031136:main thread : Entry(558fe8bf9670): type 1, > (CONSTANT), value: '-' > 6186.271064373:main thread : Entry(558fe8bf99a0): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 11] > 6186.271103588:main thread : Entry(558fe8bf9730): type 1, > (CONSTANT), value: ' ' > 6186.271138654:main thread : Entry(558fe8bf9830): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 12] > 6186.271175680:main thread : Entry(558fe8bf9a60): type 1, > (CONSTANT), value: ':' > 6186.271209310:main thread : Entry(558fe8bf9d50): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 13] > 6186.271257167:main thread : Entry(558fe8bf9b20): type 1, > (CONSTANT), value: ':' > 6186.271291628:main thread : Entry(558fe8bf9c20): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 14] > 6186.271333814:main thread : Entry(558fe8bf9e10): type 1, > (CONSTANT), value: ' ' > 6186.271367917:main thread : Entry(558fe8bfa100): type 2, (FIELD), > value: '2' [UNKNOWN eDateFormat 8] > 6186.271408596:main thread : Entry(558fe8bf9ed0): type 1, > (CONSTANT), value: ' ' > 6186.271437108:main thread : Entry(558fe8bf9f90): type 2, (FIELD), > value: '3' > 6186.271477047:main thread : Entry(558fe8bfa1c0): type 1, > (CONSTANT), value: ' ' > 6186.271511780:main thread : Entry(558fe8bfa4b0): type 2, (FIELD), > value: '4' > 6186.271543313:main thread : Entry(558fe8bfa280): type 1, > (CONSTANT), value: ' ' > 6186.271578967:main thread : Entry(558fe8bfa340): type 2, (FIELD), > value: '1' > 6186.271614079:main thread : Entry(558fe8bfa570): type 1, > (CONSTANT), value: ' > '
The "UNKOWN" are indeed an issue, but just a cosmetic one with debug output. All is well here. FIx: https://github.com/rsyslog/rsyslog/pull/3317 > > This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted > your suggestion, or took something too literally that I should not have? > > template (name="local1template" type="list") { > property(name="timereported" dateformat="year") > constant(value="-") > property(name="timereported" dateformat="month") > constant(value="-") > property(name="timereported" dateformat="day") > constant(value=" ") > property(name="timereported" dateformat="hour") > constant(value=":") > property(name="timereported" dateformat="minute") > constant(value=":") > property(name="timereported" dateformat="second") > constant(value=" ") > property(name="timereported" dateformat="wdayname") > constant(value=" ") > property(name="hostname") > constant(value=" ") > property(name="syslogtag") > constant(value=" ") > property(name="msg") > constant(value="\n") > } > > local1.* action(type="omfile" file="/var/log/jmtest.log" > template="local1template") > > Oh, it's just dawned on me that I am actually testing this with 'logger' > and for all I know that's not actually providing a timestamp to rsyslog at > all. I'll test that with timegenerated (which I think is supplied by > rsyslog itself and not parsed from the client)... Not much difference. I > can post that debug output, too, but don't want to muddy the waters... A debug log would be useful. I suggest to put it on something like pastebin. Rainer > > --- > Jason Marshall > Katalyst Data Management > www.katalystdm.com | www.seismiczone.com > > > > > > On Fri, Nov 23, 2018 at 11:43 PM Jason Marshall <[email protected]> > > wrote: > > > > > Hi all, I'm sure I'm doing something stupid that's causing this not to > > > work. > > > > > > I am trying to format the logs coming in on local1.info so that they are > > > saved in a separate file, and have a custom date-stamp vs the other logs > > > that are being written to other files. > > > > > > I am using rsyslog v8.24 on CentOS 7.5 if this is correct: > > > > > > # rpm -qa |grep rsyslog > > > rsyslog-8.24.0-16.el7_5.4.x86_64 > > > > > > Here is my template: > > > > > > template (name="local1template" type="list") { > > > property(name="timereported" dateformat="date-year") > > > constant(value="-") > > > property(name="timereported" dateformat="date-month") > > > constant(value="-") > > > property(name="timereported" dateformat="date-day") > > > constant(value=" ") > > > property(name="timereported" dateformat="date-hour") > > > constant(value=":") > > > property(name="timereported" dateformat="date-minute") > > > constant(value=":") > > > property(name="timereported" dateformat="date-second") > > > constant(value=" ") > > > property(name="timereported" dateformat="date-wdayname") > > > constant(value=" ") > > > property(name="hostname") > > > constant(value=" ") > > > property(name="syslogtag") > > > constant(value=" ") > > > property(name="msg") > > > constant(value="\n") > > > } > > > > > > and my binding: > > > > > > local1.* action(type="omfile" file="/var/log/jmtest.log" > > > template="local1template") > > > > > > When I restart rsyslogd, I eithe get nothing logged from local1.info, or > > > it falls through to the 'messages' file. > > > > > > When I run rsyslogd in debug mode, it complains that it doesn't like > > > 'dateformat="date-year"'. I commented out that part, and it then > > > complained about 'dateformat="date-month"'. > > > > > > It's very unclear to me what I should be putting in this template. It's > > > also unclear whether I'm going about this correctly at all. Should I be > > > using the property-replacer instead somehow? How would that even work > > > here? > > > > > > Thanks everyone, sorry if this is in the doc somewhere, but if it is I > > > haven't been able to find (or perhaps recognize) it. > > > > > > --- > > > Jason Marshall > > > Katalyst Data Management > > > www.katalystdm.com | www.seismiczone.com > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > > --- > Jason Marshall > Director, Information Technology > Katalyst Data Management > Direct: +1 403 294 7557 > www.katalystdm.com | www.seismiczone.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
