FYI Found the problem. The listener used local ruleset, while the variables resided in RSYSLOG_DefaultRuleset. Moving the omfile action out of ruleset definition resolved the issue.
Reading sentence "As such, any modifications made to the message object (e.g. message or local variables that are set) or discarding of the message object have no effect outside that ruleset." on https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html make it more clear. -- Peter On Fri, Aug 9, 2019 at 2:51 PM Peter Viskup <[email protected]> wrote: > Running rsyslog 8.1901 on fresh Debian10 the $.localvars are not printed > in debug format. > Starting rsyslog by > /usr/sbin/rsyslogd -d -n -f /etc/rsyslog-2/rsyslog-lin.conf > Config files are processed without any error. > The message looks like this: > Debug line with all properties: > FROMHOST: 'hostname.domain', fromhost-ip: '10.1.1.3', HOSTNAME: > 'server-10.1.1.4', PRI: 86, > syslogtag 'sudo', programname: 'sudo', APP-NAME: 'sudo', PROCID: '-', > MSGID: '-', > TIMESTAMP: 'Aug 9 14:07:50', STRUCTURED-DATA: '[syslogTimes@29171 > 10.1.1.1="2019-08-09T14:07:50.497819+02:00"]', > msg: 'pam_unix(sudo:session): session closed for user root' > escaped msg: 'pam_unix(sudo:session): session closed for user root' > inputname: imtcp rawmsg: '<86>1 2019-08-09T14:07:50.497129+02:00 > server-10.1.1.4 sudo - - [syslogTimes@29171 > 10.1.1.3="2019-08-09T14:07:50.497819+02:00"] pam_unix(sudo:session): > session closed for user root' > $!: > $.: > $/: > > No local variables listed. Also all the variables used in templates are > empty. > Is there any known bug which might be related? What to check? Option > abortonuncleanconfig is enabled. > > Config snippets: > > /etc/rsyslog-2# cat rsyslog-lin.conf > # Include global configuration > $IncludeConfig /etc/rsyslog-2/global/*.conf > > # Include instance configuration > $IncludeConfig /etc/rsyslog-2/lin/*.conf > /etc/rsyslog-2# ls -la /etc/rsyslog-2/global/*.conf > -rw-r--r-- 1 root root 151 May 30 13:38 > /etc/rsyslog-2/global/00-stats.conf > -rw-r--r-- 1 root root 164 Jun 12 12:26 > /etc/rsyslog-2/global/01-global.conf > -rw-r--r-- 1 root root 69 May 30 13:46 > /etc/rsyslog-2/global/02-permissions.conf > -rw-r--r-- 1 root root 42 May 31 11:51 > /etc/rsyslog-2/global/03-modules.conf > -rw-r--r-- 1 root root 1026 Aug 9 10:22 > /etc/rsyslog-2/global/09-variables.conf > -rw-r--r-- 1 root root 3237 Aug 5 08:41 > /etc/rsyslog-2/global/10-templates.conf > /etc/rsyslog-2# cat /etc/rsyslog-2/global/09-variables.conf > # set local variables > set $.localip="1.1.1.3"; > set $.host=$$myhostname; > > $template > getOrigip,"%hostname:R,ERE,1,ZERO:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})--end%" > set $.origip=exec_template("getOrigip"); > if ( $.origip == "0" ) then { > if ( $fromhost-ip == "127.0.0.1" ) then { > set $.origip=$.localip; > } > else { > set $.origip=$fromhost-ip; > } > } > .... > > -- > Peter > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
