[rsyslog] can't extract fields from log files using mmnormalize

Mon, 05 Oct 2020 23:35:12 -0700 

here is rsyslog config:

```

module(load="imfile")
module(load="mmnormalize")


input (
    type="imfile"
    File="/var/log/libvirt/qemu/*.log"
    Tag="qemu-kvm"
    Severity="info"
    ruleset="qemu_logs"
)

ruleset(name="qemu_logs") {
    action(type="mmnormalize" ruleset="/etc/rsyslog.d/qemu-kvm.rulebase" UseRawMsg="on") 
    action(
        type="omfile"
        file="/var/log/libvirt/qemu.log"
        template="RSYSLOG_DebugFormat"
    )
}

```


rulebase:

```

version=2
# 2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0) 
rule=:%_tiemstamp:date-rfc5424% qemu-kvm: %_mesg:rest%

```


sample log input:

```
2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0) 

```


produced output:

```

Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'kvm-host.company.name', PRI: 134,
syslogtag 'qemu-kvm', programname: 'qemu-kvm', APP-NAME: 'qemu-kvm', PROCID: '-', MSGID: '-', 
TIMESTAMP: 'Oct  6 09:24:29', STRUCTURED-DATA: '-',
msg: '2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0)' escaped msg: '2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0)' inputname: imfile rawmsg: '2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0)' $!:{ "metadata": { "filename": "\/var\/log\/libvirt\/qemu\/vmNUMBER.log", "fileoffset": "31305" } } 
$.:
$/:

```


raw log message parsed by lognormalizer.

```
$ echo '2020-10-06T06:13:21.797593Z qemu-kvm: -chardev pty,id=charserial0: char device redirected to /dev/pts/3 (label charserial0)' | lognormalizer -r /etc/rsyslog.d/qemu-kvm.rulebase { "_mesg": "-chardev pty,id=charserial0: char device redirected to \/dev\/pts\/3 (label charserial0)", "_tiemstamp": "2020-10-06T06:13:21.797593Z" } 

```
my end goal is to extract several fields (mainly, timestamp) and forward it all to graylog via its GELF input. however, no matter what I do, additional fields do not appear anywhere. 

how else could I debug this issue?

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to