Re: [rsyslog] $SpaceLFOnReceive - how to use in if statement for one $programname - issue is SpaceLFOnReceive applies regardless of $programname

Thu, 05 Jan 2023 09:18:04 -0800 

No, that is a universal parser directive.
One thing that's confusing about rsyslog configs is that there are two types of things that are in the config 

1. things processed at startup to configure rsyslog

2. things processed per message to manipulate that message


it doesn't matter where in the config you put the startup items, they all get 
processed at startup time.



by the time you are processing the message, directives like this one have or 
have not already had their effect (they are things that happen as the message is 
being parsed, before you know anything about it)



can you give us an example of a message that you are having problems with? 
Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template


David Lang

On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:


Date: Thu, 5 Jan 2023 17:07:57 +0000
From: Morgan Cox via rsyslog <[email protected]>
To: [email protected]
Cc: Morgan Cox <[email protected]>
Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for one
    $programname - issue is SpaceLFOnReceive applies regardless of
    $programname

Hi.

Wondering if anyone can help


I forward all syslog messages (linux) using (syslog server ip has been 
removed.)


if $fromhost-ip == '127.0.0.1' then @syslogserverip:514

And this works.

However, I am trying to send Aide check output via syslog using systemd-cat


I have an issue with spacing, etc (i.e I see #012 all over the output on 
remote server)


The solution is to use

$SpaceLFOnReceive on

This fixes the #012 issue.


However I didn't want to set this globally so I have created if 
statements in rsyslog conf



e.g

if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
   @syslogserverip:514
}

if $programname == 'aide' then {
   $SpaceLFOnReceive on
   @syslogserverip:514
}


The if statement works - apart from the $SpaceLFOnReceive on part


e.g if I enable $SpaceLFOnReceive on  in the 2nd if statement it applies 
to anything



i.e I have tested replacing $programname with sshd in both if statements 
but $SpaceLFOnReceive on is enabled if I use any service.



If there a way to make $SpaceLFOnReceive apply to just a specified 
$programname ?



Thanks




_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to