the pre-defined properites are a bit odd for historical reasons.
up until the new syntax was introduced in version 6, properties were all defined
in the code, and used either in a template as %msg% or in a test as
:msg, test, value action
during this time, a second tier of properties were introduced that are not
directly parsed from the messages, things like $day, and they got used in a
template as %$day% or in a test as
:$day, test, value action
in version 6 the new syntax was introduced that allows you to have user defined
variables, if statements, etc.
so now we can do
if $msg == 'foo' then action
but you still do %msg% in the old template syntax (and nobody should be using
the old test syntax :-) )
this leads to odd things like
if $$day == '1' then action
because the property name is '$day'
variables are
$!foo
$.foo
$\foo
where the $! and $. work the same way (they are separate so that you can include
all of the $! namespace in a message while still being able to reference things
in $. for metadata) and $\ is a much slower type that persists from message to
message (so you can do things like send a message that sets a $\ variable to
turn debug logging on and off by using if $\logdebug == 'y' then *=.debug
/var/log/debug)
hope this helps
David Lang
On Thu, 14 May 2020, Flo Rance via rsyslog wrote:
Date: Thu, 14 May 2020 16:09:13 +0200
From: Flo Rance via rsyslog <[email protected]>
To: rsyslog-users <[email protected]>
Cc: Flo Rance <[email protected]>
Subject: Re: [rsyslog] Clarification about rsyslog templates and dynafile2
(configuration help)
%%DAYS% ?
On Tue, 12 May 2020 at 20:40, Soham Chakraborty via rsyslog
<[email protected]> wrote:
Hi,
I have a query regarding rsyslog template.
Before I describe the problem let me explain the background. We are
planning to receive logs from different networking equipment and
firewall. Those logs will be sent over to two rsyslog servers which
will in turn send them to splunk. We want to separate the logs as per
the originating hostname and save in separate files in individual,
separate directories.
The following is an example of such configuration:
# cat cyberark.conf
input(type="imtcp" port="9514" ruleset="cyberark_logs")
ruleset(name="cyberark_logs"
queue.type="fixedArray"
queue.size="250000"
queue.dequeueBatchSize="4096"
queue.workerThreads="4"
queue.workerThreadMinimumMessages="60000"
) {
$FileOwner splunk
$FileGroup splunk
$DirOwner splunk
$DirGroup splunk
$DirCreateMode 0755
$FileCreateMode 0640
$RulesetCreateMainQueue
$Template
Dynafile2,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?Dynafile2
}
1) Now my confusion is about the template naming scheme. Right now all
of the configurations have these lines:
$Template Dynafile2,"FILEPATH_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?Dynafile2
How can/should I change the names of the templates? Shall I make it like:
$Template
cyberark,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
*.*-?cyberark
2) Based on the above full configuration snippet, is there any
modification that I can make so that the configuration is easier to
read/understand? In other words, any improvement tips?
Thanks,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
