Thanks David for the clarifications. Regards, Flo
On Fri, 15 May 2020 at 02:17, David Lang <[email protected]> wrote: > > the pre-defined properites are a bit odd for historical reasons. > > up until the new syntax was introduced in version 6, properties were all > defined > in the code, and used either in a template as %msg% or in a test as > :msg, test, value action > > during this time, a second tier of properties were introduced that are not > directly parsed from the messages, things like $day, and they got used in a > template as %$day% or in a test as > :$day, test, value action > > in version 6 the new syntax was introduced that allows you to have user > defined > variables, if statements, etc. > > so now we can do > if $msg == 'foo' then action > but you still do %msg% in the old template syntax (and nobody should be using > the old test syntax :-) ) > > this leads to odd things like > if $$day == '1' then action > because the property name is '$day' > variables are > $!foo > $.foo > $\foo > > where the $! and $. work the same way (they are separate so that you can > include > all of the $! namespace in a message while still being able to reference > things > in $. for metadata) and $\ is a much slower type that persists from message to > message (so you can do things like send a message that sets a $\ variable to > turn debug logging on and off by using if $\logdebug == 'y' then *=.debug > /var/log/debug) > > hope this helps > > David Lang > > On Thu, 14 May 2020, Flo Rance via rsyslog wrote: > > > Date: Thu, 14 May 2020 16:09:13 +0200 > > From: Flo Rance via rsyslog <[email protected]> > > To: rsyslog-users <[email protected]> > > Cc: Flo Rance <[email protected]> > > Subject: Re: [rsyslog] Clarification about rsyslog templates and dynafile2 > > (configuration help) > > > > %%DAYS% ? > > > > On Tue, 12 May 2020 at 20:40, Soham Chakraborty via rsyslog > > <[email protected]> wrote: > >> > >> Hi, > >> > >> I have a query regarding rsyslog template. > >> > >> Before I describe the problem let me explain the background. We are > >> planning to receive logs from different networking equipment and > >> firewall. Those logs will be sent over to two rsyslog servers which > >> will in turn send them to splunk. We want to separate the logs as per > >> the originating hostname and save in separate files in individual, > >> separate directories. > >> > >> The following is an example of such configuration: > >> > >> # cat cyberark.conf > >> input(type="imtcp" port="9514" ruleset="cyberark_logs") > >> ruleset(name="cyberark_logs" > >> queue.type="fixedArray" > >> queue.size="250000" > >> queue.dequeueBatchSize="4096" > >> queue.workerThreads="4" > >> queue.workerThreadMinimumMessages="60000" > >> > >> ) { > >> $FileOwner splunk > >> $FileGroup splunk > >> $DirOwner splunk > >> $DirGroup splunk > >> $DirCreateMode 0755 > >> $FileCreateMode 0640 > >> $RulesetCreateMainQueue > >> $Template > >> Dynafile2,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > >> *.*-?Dynafile2 > >> } > >> > >> 1) Now my confusion is about the template naming scheme. Right now all > >> of the configurations have these lines: > >> > >> $Template Dynafile2,"FILEPATH_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > >> *.*-?Dynafile2 > >> > >> How can/should I change the names of the templates? Shall I make it like: > >> > >> $Template > >> cyberark,"/opt/data/syslog/cyberark/%HOSTNAME%/asa_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" > >> *.*-?cyberark > >> > >> 2) Based on the above full configuration snippet, is there any > >> modification that I can make so that the configuration is easier to > >> read/understand? In other words, any improvement tips? > >> > >> Thanks, > >> _______________________________________________ > >> rsyslog mailing list > >> https://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
