please craft an example log and what you want the result to look like.
David Lang
On Thu, 20 Feb 2020, Amila Dias wrote:
Date: Thu, 20 Feb 2020 11:19:56 +0000
From: Amila Dias <[email protected]>
To: Amila Dias via rsyslog <[email protected]>,
Patrick Leung <[email protected]>, David Lang <[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
Hi All,
I got the variable / input name that sets up the custom token through a similar
debug example thanks to Patrick and that variable / input is called
STRUCTURED-DATA. Since I'm not that familiar with custom templates I did the
standard template with %STRUCTURED-DATA% as the log file name and it shows our
cloud app instances belonging us and our customers separately with each log
file labeled with the custom token ID.
the template I used is this: $template RemoteSource,
"/var/log/cloud-app-name/%FROMHOST-IP%/%STRUCTURED-DATA%.log"
*.* ?RemoteSource
But what I actually want is for the variable / input name STRUCTURED-DATA to
display the custom token just inside the
/var/log/cloud-app-name/%FROMHOST-IP.log
Any suggestion on how to setup the template ?
Rgds,
Amila.
________________________________
From: rsyslog <[email protected]> on behalf of Amila Dias via rsyslog
<[email protected]>
Sent: 20 February 2020 06:59
To: David Lang via rsyslog <[email protected]>; Patrick Leung
<[email protected]>
Cc: Amila Dias <[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
Hi David and Patrick,
Thanks a lot for your inputs and thoughts on how to resolve the custom token
issue that we're having with rsyslog. Let me try your suggestions and get back
to you.
Rgds,
Amila.
________________________________
From: rsyslog <[email protected]> on behalf of David Lang via rsyslog
<[email protected]>
Sent: 19 February 2020 23:55
To: Patrick Leung <[email protected]>
Cc: David Lang <[email protected]>; Patrick Leung via rsyslog
<[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
setup a short test where you turn of imuxsock and only have imjournal, then log
everything with the debug format so that you can see what an imjournal message
looks like.
David Lang
On Wed, 19 Feb 2020, Patrick Leung wrote:
Date: Wed, 19 Feb 2020 17:46:59 +0000 (UTC)
From: Patrick Leung <[email protected]>
To: David Lang <[email protected]>
Cc: Patrick Leung via rsyslog <[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
Hi,
Looks like the "/etc/rsyslog.d/custom-rsyslog.conf" in my previous email response has the "else-if"
clause missed (somehow). It checks for "imuxsock" and then "imjournal" and logs accordingly as you
suggested:
if ( $inputname == "imuxsock") then {
action(type="omfile" ...)
} else if ( $inputname == "imjournal" ) then {
action(type="omfile" file="/var/log/syslog/imjournal.log"
template="RSYSLOG_DebugFormat")
}
The problem I've been facing is that there is NO imjournal logs being filed.
I tried also having rsyslog.conf that loads and uses imjournal/mmjsonparse only
(no *.conf include), NO logs have been filed as well. I am trying to figure out
why there is no imjournal log, then the next step is to examine the meta-data
and build the filters.
I assume imjournal is working in rsyslog_v8.1903, and (even though it is not project
supported AFAIK) there is still development happening in imjournal plug-in
(https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frsyslog%2Frsyslog%2Fcommits%2Fmaster%2Fplugins%2Fimjournal%2Fimjournal.c&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=z5%2FcB4g56xNJy8dqLKr8Gt4%2FeEMejFzgwzTkqkb%2BtjU%3D&reserved=0).
Thanks,
Patrick
On Wednesday, February 19, 2020, 05:47:21 a.m. EST, David Lang <[email protected]>
wrote:
On Wed, 19 Feb 2020, Patrick Leung wrote:
Hi,
Sorry about the illegible config file content. Please allow me to try again. My system is using
rsyslog_8.1903 from Yocto meta-openembedded/warrior that has systemd-journald_v241 forward to
syslog. "/etc/rsyslog.conf" includes a custom rsyslog configuration
"/etc/rsyslog.d/custom-rsyslog.conf". Please see below the configuration files.
Given these configuration files, I obtain ONLY logging entries from imuxsock. The
"RSYSLOG_DebugFormat" gives me the syslog message, e.g.
Debug line with all properties:
FROMHOST: 'xxx', fromhost-ip: '127.0.0.1', HOSTNAME: 'xxx', PRI: 30,
syslogtag 'systemd[1]:', programname: 'systemd', APP-NAME: 'systemd', PROCID:
'1', MSGID: '-',
TIMESTAMP: 'Feb 18 16:17:16', STRUCTURED-DATA: '-',
msg: ' Started machine-id persistence.'
escaped msg: ' Started machine-id persistence.'
inputname: imuxsock rawmsg: '<30>Feb 18 16:17:16 systemd[1]: Started machine-id
persistence.'
$!:{ "msg": "Started machine-id persistence." }
$.:
$/:
I would like to craft a rsyslog configuration such that both imuxsock and
imjournal are used, and I will have a filtering base on the meta data in
structured journald log fetched from imjournal.
Ok, now setup similar thing for a log you get from imjournal and look at the
different properties that you get.
I would suggest that you look at what inputname is for each one, that will
probably work for your filtering.
David Lang
I hope the given information clarifies my approach.
Thanks,
Patrick
==============================
[/etc/rsyslog.conf]
module(load="imuxsock"
SysSock.Use="on"
SysSock.Name="/run/systemd/journal/syslog")
module(load="builtin:omfile"
dirCreateMode="0755"
fileCreateMode="0640")
module(load="mmjsonparse")
action(type="mmjsonparse")
# Set the default permissions
$FileOwner syslog
$FileGroup syslog
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
include(file="/etc/rsyslog.d/*.conf" mode="required")
==============================
[/etc/rsyslog.d/custom-rsyslog.conf]
module(load="imjournal" PersisStateInterval="100")
action(type="mmjsonparse")
if ( $inputname == "imuxsock" ) then {
action(type="omfile" file="/var/log/syslog/imuxsock.log"
template="RSYSLOG_DebugFormat")
else if ( $inputname == "imjournal" ) then {
action(type="omfile" file="/var/log/syslog/imjournal.log"
template="RSYSLOG_DebugFormat")
}
_______________________________________________
rsyslog mailing list
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=KkXVmpZvKrTSIOhm0wy%2Fd5lGJ%2BWHk8qpXC3sMI2MjWo%3D&reserved=0
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=1Ikd%2FhAFjTYk7RSvOyOHcDm8iZhSj2tE%2BxZfH2F6Gmw%3D&reserved=0
What's up with rsyslog? Follow
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=xeyZwsdNp3ltTFSlTcJPeqJPLQfHrD0XBUaPpOq%2FscU%3D&reserved=0
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=KkXVmpZvKrTSIOhm0wy%2Fd5lGJ%2BWHk8qpXC3sMI2MjWo%3D&reserved=0
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=1Ikd%2FhAFjTYk7RSvOyOHcDm8iZhSj2tE%2BxZfH2F6Gmw%3D&reserved=0
What's up with rsyslog? Follow
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=01%7C01%7Camila.dias%40quantei.com%7Ca033b92ef6b24fba8ea008d7b5a44d7d%7C75398b6e83a24926ba37e090ca2d2539%7C0&sdata=xeyZwsdNp3ltTFSlTcJPeqJPLQfHrD0XBUaPpOq%2FscU%3D&reserved=0
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
