Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Thanks David. It helped (sadly it arrived 2 hours late :P) I'm now dealing setting a variable with timestamp:::date-rfc5424 format. El 01/12/16 a las 15:57, Dave Caplinger escribió: Try: set $!data!foo = $programname; As far as I know, rainerscript can't inject variables/properties into

[rsyslog] Segfault with rsyslog 8.23.0 on RHEL 7.2

Hi all, I am experiencing a segmentation fault when I start rsyslog on all my RHEL 7.2 machines. The issue appears even if I use the default /etc/rsyslog.conf file. This is an extract of the debug file, is it enough to presume it might be caused by cloud-init? processBATCH: next msg 3:

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Try: set $!data!foo = $programname; As far as I know, rainerscript can't inject variables/properties into string literals directly; so if you really want to use string concatenation do this: set $!data!foo = "this_might_work_better_" & $programname; If you want to get any more complex

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

After meal, as usually happens, those quotes sparkled. Doesn't rsyslog conf grammar allows that neither? /(eg: set $!data!foo="this_doesnt_seem_to_work_$programname";)/ El 01/12/16 a las 14:57, mosto...@gmail.com escribió: This worked, but I have lost 2 hours and still don't see where's

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

This worked, but I have lost 2 hours and still don't see where's the evil. Works: module(load="omrelp") ruleset(name="relp") { set $!data!group=field($programname,47,1); set $!data!msg=$msg; action( action.reportSuspension="on"

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

You can save time by ensuring that the config file is error-free before you try out anything. As long as there is at least one error, you never know what that error affects (well, you can know, but then you need to be deep into the architecture). It's the same thing as with compiler error

[rsyslog] filters question

Hello, Confession... I'm still learning rsyslog after many years of working with syslog-ng. I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to capture my ESXi host logs. Here is my current filter for those: cat /etc/rsyslog.d/ESXi.conf template(name="ESXi_app" type="string"

Re: [rsyslog] Segfault with rsyslog 8.23.0 on RHEL 7.2

sorry, I need the full log to make sense out of it. Also a backtrace would be useful. Warning: right now under heavy workload, can take some time until I can actually have a look. Rainer 2016-12-01 15:07 GMT+01:00 Virili V. : > Hi all, > I am experiencing a segmentation

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

2016-12-01 19:08 GMT+01:00 mosto...@gmail.com : > > El 01/12/16 a las 19:04, Rainer Gerhards escribió: > >> 2016-12-01 18:56 GMT+01:00 mosto...@gmail.com : >>> >>> El 01/12/16 a las 18:37, Rainer Gerhards escribió: 2016-12-01 18:33 GMT+01:00

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

El 01/12/16 a las 19:04, Rainer Gerhards escribió: 2016-12-01 18:56 GMT+01:00 mosto...@gmail.com : El 01/12/16 a las 18:37, Rainer Gerhards escribió: 2016-12-01 18:33 GMT+01:00 mosto...@gmail.com : Hi Is there any way to dynamically invoke a ruleset?

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Hi Is there any way to dynamically invoke a ruleset? eg: call $var (I'm trying to avoid having +200 if statements... El 25/11/16 a las 14:13, David Lang escribió: On Fri, 25 Nov 2016, mosto...@gmail.com wrote: I may be confused about which part is on the sender and which part is on the

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

El 01/12/16 a las 18:37, Rainer Gerhards escribió: 2016-12-01 18:33 GMT+01:00 mosto...@gmail.com : Hi Is there any way to dynamically invoke a ruleset? eg: call $var (I'm trying to avoid having +200 if statements... not yet, but 90% sure evrything is in place to make

Re: [rsyslog] Segfault with rsyslog 8.23.0 on RHEL 7.2

Hi Rainer, have you any recommendations on how to have the backtrace? 2016-12-01 15:42 GMT+00:00 Rainer Gerhards : > sorry, I need the full log to make sense out of it. Also a backtrace > would be useful. > > Warning: right now under heavy workload, can take some time

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

2016-12-01 18:56 GMT+01:00 mosto...@gmail.com : > El 01/12/16 a las 18:37, Rainer Gerhards escribió: >> >> 2016-12-01 18:33 GMT+01:00 mosto...@gmail.com : >>> >>> Hi >>> >>> Is there any way to dynamically invoke a ruleset? eg: call $var >>> (I'm trying to

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

2016-12-01 18:33 GMT+01:00 mosto...@gmail.com : > Hi > > Is there any way to dynamically invoke a ruleset? eg: call $var > (I'm trying to avoid having +200 if statements... not yet, but 90% sure evrything is in place to make implementation easy. Can you elaborate on the use

Re: [rsyslog] Segfault with rsyslog 8.23.0 on RHEL 7.2

have a look here: http://www.rsyslog.com/doc/v8-stable/troubleshooting/troubleshoot.html#segmentation-faults 2016-12-01 17:19 GMT+01:00 Virili V. : > Hi Rainer, have you any recommendations on how to have the backtrace? > > > 2016-12-01 15:42 GMT+00:00 Rainer Gerhards

Re: [rsyslog] rsyslog-doc github include rst?

The headers etc are actually generated by sphinx. Have a look at the README, it details the steps. What you see on the website is the output of a generation run. Let me know if this helps or more detail is required. Rainer Sent from phone, thus brief. Am 01.12.2016 19:12 schrieb

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

yup, thx. IMHO makes sense. Let's wait what David says, but I think it would make sense to open an issue refering to this thread. ... I know, I also must find time to actually work on some of them... ;-) This is our current /core.conf/ draft: global( MaxMessageSize="32k"

Re: [rsyslog] rsyslog-doc github include rst?

GitHub has the doc sources, I don't think it can generate a proper version. The official doc sits at rsyslog.com/doc and there it should be IMHO. I like GitHub, but I do not want to bet the project on its availability. Rainer Sent from phone, thus brief. Am 01.12.2016 19:52 schrieb

Re: [rsyslog] Are we building an ERK stack?

Hi Bob. Today we finally found some time to have an eye on our rsyslog-normalizer-indexer which uses omelasticsearch According to http://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html indexing parameter *errorfile* helps to store failed indexing attempts. How do

Re: [rsyslog] rsyslog-doc github include rst?

Ok. One thing less on my TODO. :D El 01/12/16 a las 19:57, Rainer Gerhards escribió: GitHub has the doc sources, I don't think it can generate a proper version. The official doc sits at rsyslog.com/doc and there it should be IMHO. I like GitHub, but I do not want to bet the project on its

Re: [rsyslog] rsyslog-doc github include rst?

> within github I guessed sphinx would do it for web-fronted, but I was asking for github. El 01/12/16 a las 19:50, Rainer Gerhards escribió: The headers etc are actually generated by sphinx. Have a look at the README, it details the steps. What you see on the website is the output of a

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Ok, my mistake was thinking each else needed it's own {}, which results in a lot of closing } at the end of the sequence. David Lang On Thu, 1 Dec 2016, Rainer Gerhards wrote: Just on elseif... We have it, it's just a question of writing style. Insert a space and you get: If expr Else if

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Just on elseif... We have it, it's just a question of writing style. Insert a space and you get: If expr Else if expr Else if expr Else So there is no need for a special statement. Note that for the very same reason, elseif does not exist in many programming languages. C, for example, does not

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

No, braces (blocks) are just to form a single statement out of multiple. If you add a single one (if), you do not need them. Grammar: if stmt else stmt Rainer Sent from phone, thus brief. Am 01.12.2016 23:22 schrieb "David Lang" : > Ok, my mistake was thinking each else needed

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

On Thu, 1 Dec 2016, mosto...@gmail.com wrote: Thanks David. It helped (sadly it arrived 2 hours late :P) I'm now dealing setting a variable with timestamp:::date-rfc5424 format. the only way to do that is with a template. David Lang ___ rsyslog

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

Just to add to David's suggestion, here are some examples from one of my configs: template(name="s_relay_time" type="list") { property(name="timegenerated" dateFormat="rfc5424") } template(name="s_relay_utime" type="list") { property(name="timegenerated" dateFormat="unixtimestamp")

Re: [rsyslog] filters question

On Thu, 1 Dec 2016, Swartz, Patrick wrote: Hello, Confession... I'm still learning rsyslog after many years of working with syslog-ng. I'm using rsyslog-8.4.0-8.3 on a SLES12.1 system and am trying to capture my ESXi host logs. Here is my current filter for those: cat

Re: [rsyslog] Are we building an ERK stack?

On Thu, 1 Dec 2016, mosto...@gmail.com wrote: Hi Bob. Today we finally found some time to have an eye on our rsyslog-normalizer-indexer which uses omelasticsearch According to http://www.rsyslog.com/doc/v8-stable/configuration/modules/omelasticsearch.html indexing parameter *errorfile*

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

On Thu, 1 Dec 2016, David Lang wrote: Is there any way to dynamically invoke a ruleset? eg: call $var (I'm trying to avoid having +200 if statements... so to summarize, what I recommend that you do for for your use case is: 1. a single combined mmnormalize ruleset if then { set common

[rsyslog] rsyslog-doc github include rst?

Hi @radu-gheorghe @rgerhards: Is there any way to include a rst document into another within github? I have been trying /raw/ and other directives without success (seems due to security concerns) (Trying to include legal foot/license for every page) Thanks.

[rsyslog] Rsyslog stops relaying messages

Hi Rsyslog users, We have been periodically experiencing an issue with our rsyslog setup where some RELP relay nodes appear to fill up their queue and stop processing any messages. Our log flow essentially is made up of a number of "clients" that send messages over RELP to one or more "relay"

Re: [rsyslog] Rsyslog stops relaying messages

On Fri, 2 Dec 2016, Arik Mitschang wrote: Hi Rsyslog users, We have been periodically experiencing an issue with our rsyslog setup where some RELP relay nodes appear to fill up their queue and stop processing any messages. Our log flow essentially is made up of a number of "clients" that send

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

2016-12-01 23:30 GMT+01:00 David Lang : > On Thu, 1 Dec 2016, David Lang wrote: > >>> Is there any way to dynamically invoke a ruleset? eg: call $var >>> (I'm trying to avoid having +200 if statements... > > > so to summarize, what I recommend that you do for for your use case is: >

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

2016-12-02 8:27 GMT+01:00 David Lang : > On Fri, 2 Dec 2016, Rainer Gerhards wrote: > >> What exactly do you do with the variables you set inside the if body? >> Are they always the same? Where does the data originate from? >> >> I try to understand the scenario better, because I

Re: [rsyslog] omriemann configuration

On Fri, 2 Dec 2016, Bob Gregory wrote: Evening all, I've mostly finished my last personal project, so my thoughts are turning to omriemann. I'm trying to work out how we might configure the module. Riemann requires that we send a protobuf encoded message containing a few pre-set fields, plus

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

On Fri, 2 Dec 2016, Rainer Gerhards wrote: What exactly do you do with the variables you set inside the if body? Are they always the same? Where does the data originate from? I try to understand the scenario better, because I vaguely think I may be able to find a much simpler solution which

[rsyslog] omriemann configuration

Evening all, I've mostly finished my last personal project, so my thoughts are turning to omriemann. I'm trying to work out how we might configure the module. Riemann requires that we send a protobuf encoded message containing a few pre-set fields, plus whatever additional fields we feel like

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

On Fri, 2 Dec 2016, Rainer Gerhards wrote: 2016-12-02 8:27 GMT+01:00 David Lang : On Fri, 2 Dec 2016, Rainer Gerhards wrote: What exactly do you do with the variables you set inside the if body? Are they always the same? Where does the data originate from? I try to understand

[rsyslog] Change log timestamp: rsyslog changes don't work

Hi all, I'm trying to change the timestamp appears in my openLDAP logs. Today it's the default timestamp (Nov 22 11:55:02), but for debugging reasons I need to show the milliseconds (something like Nov 22 11:55:02:987 or any other format with milliseconds). The logs output are managed by the

Re: [rsyslog] about imfile

2016-12-01 11:54 GMT+01:00 mosto...@gmail.com : >> because a syslog message contains tag. > > mind-blowing explanation :P Well, as the property is already there, why would you like to have a config parameter for something that by definition will never be needed? Rainer

Re: [rsyslog] about imfile

2016-12-01 12:55 GMT+01:00 Rainer Gerhards : > 2016-12-01 11:54 GMT+01:00 mosto...@gmail.com : >>> because a syslog message contains tag. >> >> mind-blowing explanation :P > > Well, as the property is already there, why would you like to have a >

Re: [rsyslog] about imfile

El 01/12/16 a las 12:55, Rainer Gerhards escribió: 2016-12-01 11:54 GMT+01:00 mosto...@gmail.com : because a syslog message contains tag. mind-blowing explanation :P Well, as the property is already there, why would you like to have a config parameter for something that by

Re: [rsyslog] about imfile

2016-12-01 13:06 GMT+01:00 mosto...@gmail.com : > El 01/12/16 a las 12:55, Rainer Gerhards escribió: >> >> 2016-12-01 11:54 GMT+01:00 mosto...@gmail.com : because a syslog message contains tag. >>> >>> mind-blowing explanation :P >> >> Well, as the

Re: [rsyslog] about imfile

now, that makes sense! :D Thanks El 01/12/16 a las 13:06, Rainer Gerhards escribió: 2016-12-01 12:55 GMT+01:00 Rainer Gerhards : 2016-12-01 11:54 GMT+01:00 mosto...@gmail.com : because a syslog message contains tag. mind-blowing explanation :P

Re: [rsyslog] about imfile

2016-12-01 13:09 GMT+01:00 mosto...@gmail.com : > now, that makes sense! :D > Sorry for the initial confusion. That was so obvious to me that I even didn't think it was worth mentioning. Of course it's not obvious ;-) But that's also the reason why I say I am not the best

Re: [rsyslog] about imfile

A message without TAG (malformed RFC 3164 message), no matter if it's read from file or it arrives from socket, won't have a tag Hence, setting it only for imfile won't fix it for socket modules. I am not ready for this discussion again. In rsyslog, rfc3164 messages always have a tag. See

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

I don't know if this is what you are asking for... 3421.997587883:main Q:Reg/w0 : SET !data!aapp = 3421.997596172:main Q:Reg/w0 : function 'field' (id:9, params:3) 3421.997607766:main Q:Reg/w0 : var 'programname' 3421.997687716:main Q:Reg/w0 : 47 3421.997714715:main

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

no, we need to see the contents of programname (the RSYSLOG_DebugFormat will show this. David Lang k ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog?

Re: [rsyslog] mmnormalize with mutiple input: conditionals?

maybe the complete debug log would also help (not sure). Rainer 2016-12-01 11:12 GMT+01:00 David Lang : > no, we need to see the contents of programname (the RSYSLOG_DebugFormat will > show this. > > David Lang > k > > ___ > rsyslog

Re: [rsyslog] about imfile

El 30/11/16 a las 22:51, David Lang escribió: On Wed, 30 Nov 2016, mosto...@gmail.com wrote: According to documentation: State files are used to track which parts of the monitored file are already processed. Do state files keep just "last reading position" or as doc suggests a file can

Re: [rsyslog] about imfile

On Thu, 1 Dec 2016, mosto...@gmail.com wrote: Note that when $WorkDirectory is not set or set to a non-writable location, the state file **will not be generated**. Am I wrong or state files are written to / in this scenario? no, without a work directory set, they don't get written to /.

Re: [rsyslog] about imfile

read modes other than 0 currently seem to have issues in inotify mode Any open issues? it's an based-on-experienced-warning message? legacy? I am not aware of one, which does not necessarily mean none exists. So you need to check the issue trackers :-( The longer-term question is if we

Re: [rsyslog] about imfile

2016-12-01 11:20 GMT+01:00 mosto...@gmail.com : > El 30/11/16 a las 22:51, David Lang escribió: >> >> On Wed, 30 Nov 2016, mosto...@gmail.com wrote: >>> read modes other than 0 currently seem to have issues in inotify mode >>> >>> Any open issues? it's an