Thanks Flo -- turns out I just don't know how to use logger. Still don't I guess. The actual syslog stuff coming in via its sysloggy ways likes my new template and action just fine! Thanks for your help!
> Sorry, I didn test it with logger, but I've created a conf file in > /etc/rsyslog.d and it works as expected with rsyslog 8.38. > > $ sudo tail -f /var/log/jmtest.log > 2018-11-27 09:06:01 Tue host.domain.fake CRON[11168]: (root) CMD (command > -v debian-sa1 > /dev/null && debian-sa1 -S XALL 60 1) > > On Mon, Nov 26, 2018 at 7:53 PM Jason Marshall <[email protected]> > wrote: > > > > Remove all the "date-" in dateformat fields and it'll work as expected. > > > e.g. dateformat="year" > > > > Thanks Flo (and sorry Rainer for opening a can of worms about the docs. > > I find they are actually quite good, but the config file syntax changes > > are confusing to me as someone who is exposed to the variations only when > > something has broken :) > > > > Unfortunately, this suggestion from Flo does not seem to have fixed it, > > though it did change the behavior in debug mode. > > > > Now it doesn't complain about the dateformat lines, but further down in > > the debug I get this obscure error-looking thing for each of the > > dateformats. It seems fine with the literals in between each of them, and > > it does appear to understand what I'm talking when I say year vs > > date-year, elsewhere in the debug output. > > > > 6186.270894269:main thread : Template: Name='local1template' > > 6186.270911262:main thread : Entry(558fe8bf95b0): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 9] > > 6186.270957237:main thread : Entry(558fe8bf9380): type 1, > > (CONSTANT), value: '-' > > 6186.270994908:main thread : Entry(558fe8bf9480): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 10] > > 6186.271031136:main thread : Entry(558fe8bf9670): type 1, > > (CONSTANT), value: '-' > > 6186.271064373:main thread : Entry(558fe8bf99a0): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 11] > > 6186.271103588:main thread : Entry(558fe8bf9730): type 1, > > (CONSTANT), value: ' ' > > 6186.271138654:main thread : Entry(558fe8bf9830): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 12] > > 6186.271175680:main thread : Entry(558fe8bf9a60): type 1, > > (CONSTANT), value: ':' > > 6186.271209310:main thread : Entry(558fe8bf9d50): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 13] > > 6186.271257167:main thread : Entry(558fe8bf9b20): type 1, > > (CONSTANT), value: ':' > > 6186.271291628:main thread : Entry(558fe8bf9c20): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 14] > > 6186.271333814:main thread : Entry(558fe8bf9e10): type 1, > > (CONSTANT), value: ' ' > > 6186.271367917:main thread : Entry(558fe8bfa100): type 2, > > (FIELD), value: '2' [UNKNOWN eDateFormat 8] > > 6186.271408596:main thread : Entry(558fe8bf9ed0): type 1, > > (CONSTANT), value: ' ' > > 6186.271437108:main thread : Entry(558fe8bf9f90): type 2, > > (FIELD), value: '3' > > 6186.271477047:main thread : Entry(558fe8bfa1c0): type 1, > > (CONSTANT), value: ' ' > > 6186.271511780:main thread : Entry(558fe8bfa4b0): type 2, > > (FIELD), value: '4' > > 6186.271543313:main thread : Entry(558fe8bfa280): type 1, > > (CONSTANT), value: ' ' > > 6186.271578967:main thread : Entry(558fe8bfa340): type 2, > > (FIELD), value: '1' > > 6186.271614079:main thread : Entry(558fe8bfa570): type 1, > > (CONSTANT), value: ' > > ' > > > > This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted > > your suggestion, or took something too literally that I should not have? > > > > template (name="local1template" type="list") { > > property(name="timereported" dateformat="year") > > constant(value="-") > > property(name="timereported" dateformat="month") > > constant(value="-") > > property(name="timereported" dateformat="day") > > constant(value=" ") > > property(name="timereported" dateformat="hour") > > constant(value=":") > > property(name="timereported" dateformat="minute") > > constant(value=":") > > property(name="timereported" dateformat="second") > > constant(value=" ") > > property(name="timereported" dateformat="wdayname") > > constant(value=" ") > > property(name="hostname") > > constant(value=" ") > > property(name="syslogtag") > > constant(value=" ") > > property(name="msg") > > constant(value="\n") > > } > > > > local1.* action(type="omfile" file="/var/log/jmtest.log" > > template="local1template") > > > > Oh, it's just dawned on me that I am actually testing this with 'logger' > > and for all I know that's not actually providing a timestamp to rsyslog at > > all. I'll test that with timegenerated (which I think is supplied by > > rsyslog itself and not parsed from the client)... Not much difference. I > > can post that debug output, too, but don't want to muddy the waters... > > > > --- > > Jason Marshall > > Katalyst Data Management > > www.katalystdm.com | www.seismiczone.com > > > > > > > > > > On Fri, Nov 23, 2018 at 11:43 PM Jason Marshall <[email protected]> > > > wrote: > > > > > > > Hi all, I'm sure I'm doing something stupid that's causing this not to > > > > work. > > > > > > > > I am trying to format the logs coming in on local1.info so that they > > are > > > > saved in a separate file, and have a custom date-stamp vs the other > > logs > > > > that are being written to other files. > > > > > > > > I am using rsyslog v8.24 on CentOS 7.5 if this is correct: > > > > > > > > # rpm -qa |grep rsyslog > > > > rsyslog-8.24.0-16.el7_5.4.x86_64 > > > > > > > > Here is my template: > > > > > > > > template (name="local1template" type="list") { > > > > property(name="timereported" dateformat="date-year") > > > > constant(value="-") > > > > property(name="timereported" dateformat="date-month") > > > > constant(value="-") > > > > property(name="timereported" dateformat="date-day") > > > > constant(value=" ") > > > > property(name="timereported" dateformat="date-hour") > > > > constant(value=":") > > > > property(name="timereported" dateformat="date-minute") > > > > constant(value=":") > > > > property(name="timereported" dateformat="date-second") > > > > constant(value=" ") > > > > property(name="timereported" dateformat="date-wdayname") > > > > constant(value=" ") > > > > property(name="hostname") > > > > constant(value=" ") > > > > property(name="syslogtag") > > > > constant(value=" ") > > > > property(name="msg") > > > > constant(value="\n") > > > > } > > > > > > > > and my binding: > > > > > > > > local1.* action(type="omfile" file="/var/log/jmtest.log" > > > > template="local1template") > > > > > > > > When I restart rsyslogd, I eithe get nothing logged from local1.info, > > or > > > > it falls through to the 'messages' file. > > > > > > > > When I run rsyslogd in debug mode, it complains that it doesn't like > > > > 'dateformat="date-year"'. I commented out that part, and it then > > > > complained about 'dateformat="date-month"'. > > > > > > > > It's very unclear to me what I should be putting in this template. > > It's > > > > also unclear whether I'm going about this correctly at all. Should I > > be > > > > using the property-replacer instead somehow? How would that even work > > > > here? > > > > > > > > Thanks everyone, sorry if this is in the doc somewhere, but if it is I > > > > haven't been able to find (or perhaps recognize) it. > > > > > > > > --- > > > > Jason Marshall > > > > Katalyst Data Management > > > > www.katalystdm.com | www.seismiczone.com > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > > DON'T LIKE THAT. > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > > > > > --- > > Jason Marshall > > Director, Information Technology > > Katalyst Data Management > > Direct: +1 403 294 7557 > > www.katalystdm.com | www.seismiczone.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > --- Jason Marshall Katalyst Data Management www.katalystdm.com | www.seismiczone.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
