> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: Wednesday, October 24, 2012 6:18 PM > To: rsyslog-users > Subject: Re: [rsyslog] Moving from v5 to v7 > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Roger Salisbury > > Sent: Wednesday, October 24, 2012 6:12 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Moving from v5 to v7 > > > > Yes, I was using regex expressions to get .[A-Z] so any pointers to > > that, thanks. Does look to die in the expression after contains > > > > if $syslogfacility-text == 'local3' and not ($msg contains > > 'com\.company\.[A-Z]') then { > > action(type="omfile" dynafile="WEBAPP") > > }
Interim answer: it's a problem with the rsyslog grammar. IF you remove the backslashes, it parses correctly. Rainer > > I need to check this in my lab. Not sure if I manage today. If not, you > will get a response tomorrow (and if you don't, please ping me ;)) > > In the meantime, please have a look at the function list here: > http://www.rsyslog.com/doc/rainerscript.html > > I know, it's extremely terse, but maybe still useful (I'll probably > extend the doc based on your case ;)). > > Rainer > > > > [root@chylog001 etc]# /sbin/rsyslogd -N1 -d > > > > 4748.350174447:7f29e9f15740: rsyslogd 7.2.0 startup, module path '', > > cwd:/etc > > 4748.350268538:7f29e9f15740: caller requested object 'net', not found > > (iRet -3003) > > 4748.350278833:7f29e9f15740: Requested to load module 'lmnet' > > 4748.350283303:7f29e9f15740: loading module '/lib64/rsyslog/lmnet.so' > > 4748.350377867:7f29e9f15740: module lmnet of type 2 being loaded > > (keepType=0). > > 4748.350382901:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.350386222:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350389235:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350392243:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350396547:7f29e9f15740: source file conf.c requested reference > for > > module 'lmnet', reference count now 1 > > 4748.350421305:7f29e9f15740: rsyslog runtime initialized, version > > 7.2.0, current users 1 > > 4748.350462894:7f29e9f15740: source file syslogd.c requested > reference > > for module 'lmnet', reference count now 2 > > 4748.350477065:7f29e9f15740: GenerateLocalHostName uses 'chylog001' > > 4748.350480780:7f29e9f15740: deque option N, optarg '1' > > rsyslogd: version 7.2.0, config validation run (level 1), master > config > > /etc/rsyslog.conf > > 4748.350506900:7f29e9f15740: omfile: using transactional output > > interface. > > 4748.350532735:7f29e9f15740: module builtin:omfile of type 1 being > > loaded (keepType=0). > > 4748.350537611:7f29e9f15740: module config name is 'omfile' > > 4748.350540985:7f29e9f15740: module builtin:omfile supports rsyslog > v6 > > config interface > > 4748.350545909:7f29e9f15740: entry point 'activateCnfPrePrivDrop' not > > present in module > > 4748.350555900:7f29e9f15740: module builtin:ompipe of type 1 being > > loaded (keepType=0). > > 4748.350560865:7f29e9f15740: module config name is 'ompipe' > > 4748.350563948:7f29e9f15740: module builtin:ompipe supports rsyslog > v6 > > config interface > > 4748.350568691:7f29e9f15740: entry point 'activateCnfPrePrivDrop' not > > present in module > > 4748.350573491:7f29e9f15740: entry point 'beginTransaction' not > present > > in module > > 4748.350576893:7f29e9f15740: entry point 'endTransaction' not present > > in module > > 4748.350581813:7f29e9f15740: module builtin-shell of type 1 being > > loaded (keepType=0). > > 4748.350585651:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350588619:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350591600:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350595720:7f29e9f15740: entry point 'doHUP' not present in > module > > 4748.350598788:7f29e9f15740: entry point 'beginTransaction' not > present > > in module > > 4748.350601783:7f29e9f15740: entry point 'endTransaction' not present > > in module > > 4748.350605071:7f29e9f15740: entry point 'newActInst' not present in > > module > > 4748.350611077:7f29e9f15740: module builtin:omdiscard of type 1 being > > loaded (keepType=0). > > 4748.350614740:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350617904:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350621119:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350625176:7f29e9f15740: entry point 'doHUP' not present in > module > > 4748.350628415:7f29e9f15740: entry point 'beginTransaction' not > present > > in module > > 4748.350631531:7f29e9f15740: entry point 'endTransaction' not present > > in module > > 4748.350639210:7f29e9f15740: entry point 'newActInst' not present in > > module > > 4748.350646557:7f29e9f15740: source file omfwd.c requested reference > > for module 'lmnet', reference count now 3 > > 4748.350663393:7f29e9f15740: module builtin:omfwd of type 1 being > > loaded (keepType=0). > > 4748.350670296:7f29e9f15740: module config name is 'omfwd' > > 4748.350673493:7f29e9f15740: module builtin:omfwd supports rsyslog v6 > > config interface > > 4748.350678437:7f29e9f15740: entry point 'activateCnfPrePrivDrop' not > > present in module > > 4748.350683225:7f29e9f15740: entry point 'doHUP' not present in > module > > 4748.350689923:7f29e9f15740: module builtin:omusrmsg of type 1 being > > loaded (keepType=0). > > 4748.350693559:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350696946:7f29e9f15740: module config name is 'omusrmsg' > > 4748.350699983:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350704134:7f29e9f15740: entry point 'doHUP' not present in > module > > 4748.350707478:7f29e9f15740: entry point 'beginTransaction' not > present > > in module > > 4748.350710630:7f29e9f15740: entry point 'endTransaction' not present > > in module > > 4748.350715851:7f29e9f15740: rfc5424 parser init called > > 4748.350719485:7f29e9f15740: GetParserName addr 0x7f29e9f3d680 > > 4748.350722943:7f29e9f15740: module builtin:pmrfc5424 of type 3 being > > loaded (keepType=0). > > 4748.350726152:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350729079:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350732261:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350736962:7f29e9f15740: Parser 'rsyslog.rfc5424' added to list > of > > available parsers. > > 4748.350741888:7f29e9f15740: rfc3164 parser init called > > 4748.350747278:7f29e9f15740: module builtin:pmrfc3164 of type 3 being > > loaded (keepType=0). > > 4748.350750848:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350753885:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350756854:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350760424:7f29e9f15740: Parser 'rsyslog.rfc3164' added to list > of > > available parsers. > > 4748.350764057:7f29e9f15740: Parser 'rsyslog.rfc5424' added to > default > > parser set. > > 4748.350766971:7f29e9f15740: Parser 'rsyslog.rfc3164' added to > default > > parser set. > > 4748.350773708:7f29e9f15740: rsyslog standard file format strgen init > > called, compiled with version 7.2.0 > > 4748.350781793:7f29e9f15740: module builtin:smfile of type 4 being > > loaded (keepType=0). > > 4748.350787420:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.350790445:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350793260:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350796394:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350800912:7f29e9f15740: Strgen 'RSYSLOG_FileFormat' added to > list > > of available strgens. > > 4748.350804620:7f29e9f15740: traditional file format strgen init > > called, compiled with version 7.2.0 > > 4748.350808584:7f29e9f15740: module builtin:smtradfile of type 4 > being > > loaded (keepType=0). > > 4748.350811688:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.350814906:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.350817727:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.350820647:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.350824389:7f29e9f15740: Strgen 'RSYSLOG_TraditionalFileFormat' > > added to list of available strgens. > > 4748.350828079:7f29e9f15740: rsyslog standard (network) forward > format > > strgen init called, compiled with version 7.2.0 > > 4748.351700366:7f29e9f15740: module builtin:smfwd of type 4 being > > loaded (keepType=0). > > 4748.351705250:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.351709323:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.351713109:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.351716995:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.351722126:7f29e9f15740: Strgen 'RSYSLOG_ForwardFormat' added to > > list of available strgens. > > 4748.351727329:7f29e9f15740: rsyslog traditional (network) forward > > format strgen init called, compiled with version 7.2.0 > > 4748.351732120:7f29e9f15740: module builtin:smtradfwd of type 4 being > > loaded (keepType=0). > > 4748.351736120:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.351739916:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.351743576:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.351747435:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.351752316:7f29e9f15740: Strgen > 'RSYSLOG_TraditionalForwardFormat' > > added to list of available strgens. > > 4748.351756584:7f29e9f15740: doing legacy config system init > > 4748.351907687:7f29e9f15740: template bound to strgen > > 'RSYSLOG_FileFormat' > > 4748.351913089:7f29e9f15740: template bound to strgen > > 'RSYSLOG_TraditionalFileFormat' > > 4748.351922779:7f29e9f15740: template bound to strgen > > 'RSYSLOG_ForwardFormat' > > 4748.351929712:7f29e9f15740: template bound to strgen > > 'RSYSLOG_TraditionalForwardFormat' > > 4748.352051573:7f29e9f15740: cnf:global:cfsysline: $ModLoad imuxsock > # > > provides support for local system logging (e.g. via logger command) > > 4748.352062105:7f29e9f15740: Requested to load module 'imuxsock' > > 4748.352066457:7f29e9f15740: loading module > > '/lib64/rsyslog/imuxsock.so' > > 4748.352338525:7f29e9f15740: imuxsock version 7.2.0 initializing > > 4748.352343097:7f29e9f15740: rsyslog/glbl: using '127.0.0.1' as > > localhost IP > > 4748.352397396:7f29e9f15740: module imuxsock of type 0 being loaded > > (keepType=0). > > 4748.352402313:7f29e9f15740: module config name is 'imuxsock' > > 4748.352405477:7f29e9f15740: module imuxsock supports rsyslog v6 > config > > interface > > 4748.352417159:7f29e9f15740: cnf:global:cfsysline: $ModLoad imklog > # > > provides kernel logging support (previously done by rklogd) > > 4748.352422283:7f29e9f15740: Requested to load module 'imklog' > > 4748.352426094:7f29e9f15740: loading module > '/lib64/rsyslog/imklog.so' > > 4748.352506074:7f29e9f15740: module imklog of type 0 being loaded > > (keepType=0). > > 4748.352510947:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.352515085:7f29e9f15740: module config name is 'imklog' > > 4748.352518054:7f29e9f15740: module imklog supports rsyslog v6 config > > interface > > 4748.352523130:7f29e9f15740: entry point 'newInpInst' not present in > > module > > 4748.352529113:7f29e9f15740: cnf:global:cfsysline: $ModLoad imudp > > 4748.352533449:7f29e9f15740: Requested to load module 'imudp' > > 4748.352536893:7f29e9f15740: loading module '/lib64/rsyslog/imudp.so' > > 4748.352597009:7f29e9f15740: source file imudp.c requested reference > > for module 'lmnet', reference count now 4 > > 4748.352618738:7f29e9f15740: module imudp of type 0 being loaded > > (keepType=0). > > 4748.352623806:7f29e9f15740: module config name is 'imudp' > > 4748.352626868:7f29e9f15740: module imudp supports rsyslog v6 config > > interface > > 4748.352633996:7f29e9f15740: cnf:global:cfsysline: $UDPServerRun 514 > > 4748.352645554:7f29e9f15740: doGetWord: get newval '514' (len 3), > hdlr > > 0x7f29e7c11230 > > 4748.352651280:7f29e9f15740: cnf:global:cfsysline: $ModLoad imtcp > > 4748.352655485:7f29e9f15740: Requested to load module 'imtcp' > > 4748.352659172:7f29e9f15740: loading module '/lib64/rsyslog/imtcp.so' > > 4748.352706836:7f29e9f15740: source file imtcp.c requested reference > > for module 'lmnet', reference count now 5 > > 4748.352711976:7f29e9f15740: caller requested object 'netstrm', not > > found (iRet -3003) > > 4748.352720388:7f29e9f15740: Requested to load module 'lmnetstrms' > > 4748.352724058:7f29e9f15740: loading module > > '/lib64/rsyslog/lmnetstrms.so' > > 4748.352795587:7f29e9f15740: doing nsselClassInit > > 4748.352800941:7f29e9f15740: doing nspollClassInit > > 4748.352806441:7f29e9f15740: module lmnetstrms of type 2 being loaded > > (keepType=0). > > 4748.352809876:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.352813181:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.352816099:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.352819022:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.352822911:7f29e9f15740: source file imtcp.c requested reference > > for module 'lmnetstrms', reference count now 1 > > 4748.352827218:7f29e9f15740: caller requested object 'tcps_sess', not > > found (iRet -3003) > > 4748.352830601:7f29e9f15740: Requested to load module 'lmtcpsrv' > > 4748.352834039:7f29e9f15740: loading module > > '/lib64/rsyslog/lmtcpsrv.so' > > 4748.352900926:7f29e9f15740: source file tcps_sess.c requested > > reference for module 'lmnetstrms', reference count now 2 > > 4748.352908316:7f29e9f15740: source file tcpsrv.c requested reference > > for module 'lmnet', reference count now 6 > > 4748.352912346:7f29e9f15740: source file tcpsrv.c requested reference > > for module 'lmnetstrms', reference count now 3 > > 4748.352920746:7f29e9f15740: module lmtcpsrv of type 2 being loaded > > (keepType=0). > > 4748.352924214:7f29e9f15740: entry point 'isCompatibleWithFeature' > not > > present in module > > 4748.352927567:7f29e9f15740: entry point 'setModCnf' not present in > > module > > 4748.352930548:7f29e9f15740: entry point 'getModCnfName' not present > in > > module > > 4748.352933492:7f29e9f15740: entry point 'beginCnfLoad' not present > in > > module > > 4748.352936894:7f29e9f15740: source file imtcp.c requested reference > > for module 'lmtcpsrv', reference count now 1 > > 4748.352940467:7f29e9f15740: source file imtcp.c requested reference > > for module 'lmtcpsrv', reference count now 2 > > 4748.352980010:7f29e9f15740: module imtcp of type 0 being loaded > > (keepType=0). > > 4748.352985132:7f29e9f15740: module config name is 'imtcp' > > 4748.352988052:7f29e9f15740: module imtcp supports rsyslog v6 config > > interface > > 4748.352995769:7f29e9f15740: cnf:global:cfsysline: $InputTCPServerRun > > 514 > > 4748.353001794:7f29e9f15740: doGetWord: get newval '514' (len 3), > hdlr > > 0x7f29e7a0c200 > > 4748.353007255:7f29e9f15740: cnf:global:cfsysline: > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > 4748.353012004:7f29e9f15740: doGetWord: get newval > > 'RSYSLOG_TraditionalFileFormat' (len 29), hdlr 0x7f29e9f3aab0 > > 4748.353071848:7f29e9f15740: cnf:global:cfsysline: $template > > HOSTS,"/opt/data/syslog/hosts/syslog/%$YEAR%/%HOSTNAME%/syslog- > %$YEAR%- > > %$MONTH%-%$DAY%.log" > > 4748.353087142:7f29e9f15740: cnf:global:cfsysline: $template > > APACHE,"/opt/data/syslog/hosts/apache/%$YEAR%/%HOSTNAME%-%$YEAR%- > > %$MONTH%-%$DAY%.log" > > 4748.353101358:7f29e9f15740: cnf:global:cfsysline: $template > > TOMCAT,"/opt/data/syslog/hosts/tomcat/%$YEAR%/%HOSTNAME%/syslog- > > %$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353115470:7f29e9f15740: cnf:global:cfsysline: $template > > > WEBAPP,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/%HOSTNAME%/%$ > > YEAR%/%$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353131157:7f29e9f15740: cnf:global:cfsysline: $template > > > TIMING,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/TIMING/%$YEAR > > %/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353146586:7f29e9f15740: cnf:global:cfsysline: $template > > > API,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/API/%$YEAR%/%HOS > > TNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353162339:7f29e9f15740: cnf:global:cfsysline: $template > > > CLIPDATA,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/CLIPDATA/%$ > > YEAR%/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353177585:7f29e9f15740: cnf:global:cfsysline: $template > > > WORKFLOW,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/WORKFLOW/%$ > > YEAR%/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > 4748.353197516:7f29e9f15740: tried selector action for > builtin:omfile: > > 0 > > 4748.353204066:7f29e9f15740: Module builtin:omfile processes this > > action. > > 4748.353702077:7f29e9f15740: template: > 'RSYSLOG_TraditionalFileFormat' > > assigned > > 4748.353706994:7f29e9f15740: template: 'HOSTS' assigned > > 4748.353720218:7f29e9f15740: action 1 queue: parameter dump: > > 4748.353724742:7f29e9f15740: action 1 queue: queue.filename '[NONE]' > > 4748.353728748:7f29e9f15740: action 1 queue: queue.size: 1000 > > 4748.353732648:7f29e9f15740: action 1 queue: queue.dequeuebatchsize: > 16 > > 4748.353736826:7f29e9f15740: action 1 queue: queue.maxdiskspace: > > 1048576 > > 4748.353740657:7f29e9f15740: action 1 queue: queue.highwatermark: 800 > > 4748.353744606:7f29e9f15740: action 1 queue: queue.lowwatermark: 200 > > 4748.353748516:7f29e9f15740: action 1 queue: queue.fulldelaymark: -1 > > 4748.353752372:7f29e9f15740: action 1 queue: queue.lightdelaymark: -1 > > 4748.353756312:7f29e9f15740: action 1 queue: queue.discardmark: 9800 > > 4748.353760200:7f29e9f15740: action 1 queue: queue.discardseverity: 8 > > 4748.353764146:7f29e9f15740: action 1 queue: > queue.checkpointinterval: > > 0 > > 4748.353767824:7f29e9f15740: action 1 queue: queue.syncqueuefiles: 0 > > 4748.353771822:7f29e9f15740: action 1 queue: queue.type: 3 [Direct] > > 4748.353775578:7f29e9f15740: action 1 queue: queue.workerthreads: 1 > > 4748.353779235:7f29e9f15740: action 1 queue: queue.timeoutshutdown: 0 > > 4748.353783259:7f29e9f15740: action 1 queue: > > queue.timeoutactioncompletion: 1000 > > 4748.353787367:7f29e9f15740: action 1 queue: queue.timeoutenqueue: 50 > > 4748.353793620:7f29e9f15740: action 1 queue: > > queue.timeoutworkerthreadshutdown: 60000 > > 4748.353800895:7f29e9f15740: action 1 queue: > > queue.workerthreadminimummessages: 100 > > 4748.353808147:7f29e9f15740: action 1 queue: queue.maxfilesize: > 1048576 > > 4748.353812947:7f29e9f15740: action 1 queue: queue.saveonshutdown: 1 > > 4748.353819720:7f29e9f15740: action 1 queue: queue.dequeueslowdown: 0 > > 4748.353823810:7f29e9f15740: action 1 queue: queue.dequeuetimebegin: > 0 > > 4748.353827759:7f29e9f15740: action 1 queue: queuedequeuetimend.: 25 > > 4748.353837226:7f29e9f15740: Action 0x7f29eb4093a0: queue > > 0x7f29eb409610 created > > 4748.353842601:7f29e9f15740: Decoding traditional PRI filter > > '*.*;local1.none;local2.none;local3.none' > > 4748.353853876:7f29e9f15740: symbolic name: * ==> 255 > > 4748.353868541:7f29e9f15740: symbolic name: none ==> 16 > > 4748.353873512:7f29e9f15740: symbolic name: local1 ==> 136 > > 4748.353878739:7f29e9f15740: symbolic name: none ==> 16 > > 4748.353883455:7f29e9f15740: symbolic name: local2 ==> 144 > > 4748.353888505:7f29e9f15740: symbolic name: none ==> 16 > > 4748.353893218:7f29e9f15740: symbolic name: local3 ==> 152 > > 4748.353898177:7f29e9f15740: cnf:global:script > > 4748.353908950:7f29e9f15740: tried selector action for > builtin:omfile: > > 0 > > 4748.353914361:7f29e9f15740: Module builtin:omfile processes this > > action. > > 4748.353917880:7f29e9f15740: template: > 'RSYSLOG_TraditionalFileFormat' > > assigned > > 4748.353921107:7f29e9f15740: template: 'APACHE' assigned > > 4748.353928917:7f29e9f15740: action 2 queue: parameter dump: > > 4748.353932475:7f29e9f15740: action 2 queue: queue.filename '[NONE]' > > 4748.353935588:7f29e9f15740: action 2 queue: queue.size: 1000 > > 4748.353938932:7f29e9f15740: action 2 queue: queue.dequeuebatchsize: > 16 > > 4748.353945233:7f29e9f15740: action 2 queue: queue.maxdiskspace: > > 1048576 > > 4748.353948713:7f29e9f15740: action 2 queue: queue.highwatermark: 800 > > 4748.353953606:7f29e9f15740: action 2 queue: queue.lowwatermark: 200 > > 4748.353956990:7f29e9f15740: action 2 queue: queue.fulldelaymark: -1 > > 4748.353959958:7f29e9f15740: action 2 queue: queue.lightdelaymark: -1 > > 4748.353962966:7f29e9f15740: action 2 queue: queue.discardmark: 9800 > > 4748.353966199:7f29e9f15740: action 2 queue: queue.discardseverity: 8 > > 4748.353969179:7f29e9f15740: action 2 queue: > queue.checkpointinterval: > > 0 > > 4748.353972626:7f29e9f15740: action 2 queue: queue.syncqueuefiles: 0 > > 4748.353979835:7f29e9f15740: action 2 queue: queue.type: 3 [Direct] > > 4748.353983705:7f29e9f15740: action 2 queue: queue.workerthreads: 1 > > 4748.353988740:7f29e9f15740: action 2 queue: queue.timeoutshutdown: 0 > > 4748.353992154:7f29e9f15740: action 2 queue: > > queue.timeoutactioncompletion: 1000 > > 4748.353995366:7f29e9f15740: action 2 queue: queue.timeoutenqueue: 50 > > 4748.353998316:7f29e9f15740: action 2 queue: > > queue.timeoutworkerthreadshutdown: 60000 > > 4748.354001642:7f29e9f15740: action 2 queue: > > queue.workerthreadminimummessages: 100 > > 4748.354004870:7f29e9f15740: action 2 queue: queue.maxfilesize: > 1048576 > > 4748.354008160:7f29e9f15740: action 2 queue: queue.saveonshutdown: 1 > > 4748.354012734:7f29e9f15740: action 2 queue: queue.dequeueslowdown: 0 > > 4748.354018346:7f29e9f15740: action 2 queue: queue.dequeuetimebegin: > 0 > > 4748.354021862:7f29e9f15740: action 2 queue: queuedequeuetimend.: 25 > > 4748.354025447:7f29e9f15740: Action 0x7f29eb409b90: queue > > 0x7f29eb409dd0 created > > 4748.354029456:7f29e9f15740: cnf:global:script > > 4748.354035483:7f29e9f15740: tried selector action for > builtin:omfile: > > 0 > > 4748.354038864:7f29e9f15740: Module builtin:omfile processes this > > action. > > 4748.354042446:7f29e9f15740: template: > 'RSYSLOG_TraditionalFileFormat' > > assigned > > 4748.354047023:7f29e9f15740: template: 'TOMCAT' assigned > > 4748.354054786:7f29e9f15740: action 3 queue: parameter dump: > > 4748.354058064:7f29e9f15740: action 3 queue: queue.filename '[NONE]' > > 4748.354061126:7f29e9f15740: action 3 queue: queue.size: 1000 > > 4748.354064070:7f29e9f15740: action 3 queue: queue.dequeuebatchsize: > 16 > > 4748.354067348:7f29e9f15740: action 3 queue: queue.maxdiskspace: > > 1048576 > > 4748.354070286:7f29e9f15740: action 3 queue: queue.highwatermark: 800 > > 4748.354075865:7f29e9f15740: action 3 queue: queue.lowwatermark: 200 > > 4748.354079754:7f29e9f15740: action 3 queue: queue.fulldelaymark: -1 > > 4748.354084684:7f29e9f15740: action 3 queue: queue.lightdelaymark: -1 > > 4748.354087763:7f29e9f15740: action 3 queue: queue.discardmark: 9800 > > 4748.354091195:7f29e9f15740: action 3 queue: queue.discardseverity: 8 > > 4748.354094220:7f29e9f15740: action 3 queue: > queue.checkpointinterval: > > 0 > > 4748.354097120:7f29e9f15740: action 3 queue: queue.syncqueuefiles: 0 > > 4748.354100401:7f29e9f15740: action 3 queue: queue.type: 3 [Direct] > > 4748.354103625:7f29e9f15740: action 3 queue: queue.workerthreads: 1 > > 4748.354107830:7f29e9f15740: action 3 queue: queue.timeoutshutdown: 0 > > 4748.354113643:7f29e9f15740: action 3 queue: > > queue.timeoutactioncompletion: 1000 > > 4748.354117387:7f29e9f15740: action 3 queue: queue.timeoutenqueue: 50 > > 4748.354120407:7f29e9f15740: action 3 queue: > > queue.timeoutworkerthreadshutdown: 60000 > > 4748.354123818:7f29e9f15740: action 3 queue: > > queue.workerthreadminimummessages: 100 > > 4748.354127027:7f29e9f15740: action 3 queue: queue.maxfilesize: > 1048576 > > 4748.354130016:7f29e9f15740: action 3 queue: queue.saveonshutdown: 1 > > 4748.354133288:7f29e9f15740: action 3 queue: queue.dequeueslowdown: 0 > > 4748.354136684:7f29e9f15740: action 3 queue: queue.dequeuetimebegin: > 0 > > 4748.354141153:7f29e9f15740: action 3 queue: queuedequeuetimend.: 25 > > 4748.354148242:7f29e9f15740: Action 0x7f29eb40a330: queue > > 0x7f29eb40a5a0 created > > 4748.354152167:7f29e9f15740: cnf:global:script > > 4748.354158278:7f29e9f15740: invalid char in expr: ' > > 4748.354161598:7f29e9f15740: invalid char in expr: \ > > 4748.354164657:7f29e9f15740: invalid char in expr: . > > 4748.354171490:7f29e9f15740: Called LogError, msg: error during > parsing > > file /etc/rsyslog.conf, on or before line 57: syntax error > > rsyslogd: error during parsing file /etc/rsyslog.conf, on or before > > line 57: syntax error [try http://www.rsyslog.com/e/2207 ] > > 4748.354243187:7f29e9f15740: Called LogError, msg: CONFIG ERROR: > could > > not interpret master config file '/etc/rsyslog.conf'. > > rsyslogd: CONFIG ERROR: could not interpret master config file > > '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ] > > rsyslogd: run failed with error -2207 (see rsyslog.h or try > > http://www.rsyslog.com/e/2207 to learn what that number means) > > [root@chylog001 etc]# > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Rainer Gerhards > > > Sent: Wednesday, October 24, 2012 9:59 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] Moving from v5 to v7 > > > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:rsyslog- > > > > [email protected]] On Behalf Of Roger Salisbury > > > > Sent: Wednesday, October 24, 2012 5:52 PM > > > > To: rsyslog-users > > > > Subject: [rsyslog] Moving from v5 to v7 > > > > > > > > Upgrading from V5 to v7 > > > > > > > > #if $syslogfacility-text == 'local3' and not ($msg contains > > > > 'com\.company\.[A-Z]') then ?WEBAPP > > > > if $syslogfacility-text == 'local3' and not ($msg contains > > > > 'com\.company\.[A-Z]') then { > > > > ?WEBAPP > > > > } > > > > > > > > > > > > Shutting down system logger: [ OK > ] > > > > Starting system logger: rsyslogd: run failed with error -2207 > (see > > > > rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that > > > > number means) > > > > > > Could you run it interactively and tell the complete set of error > > > messages? That would be very helpful. > > > > > > The "if" above looks OK, but it will probably not do what you want. > > It > > > does NOT test for a regex, so the text exactly as you wrote it must > > be > > > contained inside the message. > > > > > > The problem you have is potentially a problem with the config > > grammar, > > > which mis-interprets the legacy dynafile action. Instead of > > > > > > ?WEBAPP > > > > > > You can try to use > > > action(type="omfile" dynafile="WEBAPP") > > > [along these lines, check omfile doc for exact syntax] > > > > > > Please let me know the results and if you wanted to use a regex. > > > > > > Rainer > > > > > > > > [FAILED] > > > > > > > > Do I need to group the "if" statement somehow? > > > > > > > > $template > > > > HOSTS,"/opt/data/syslog/hosts/syslog/%$YEAR%/%HOSTNAME%/syslog- > > > %$YEAR%- > > > > %$MONTH%-%$DAY%.log" > > > > $template > APACHE,"/opt/data/syslog/hosts/apache/%$YEAR%/%HOSTNAME%- > > > > %$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > TOMCAT,"/opt/data/syslog/hosts/tomcat/%$YEAR%/%HOSTNAME%/syslog- > > > > %$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > > > > > > > WEBAPP,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/%HOSTNAME%/%$ > > > > YEAR%/%$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > > > > > > > TIMING,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/TIMING/%$YEAR > > > > %/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > > > > > > > API,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/API/%$YEAR%/%HOS > > > > TNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > > > > > > > CLIPDATA,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/CLIPDATA/%$ > > > > YEAR%/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > > > $template > > > > > > > > > > WORKFLOW,"/opt/data/syslog/webapp/%msg:F,59:2%/%msg:F,59:3%/WORKFLOW/%$ > > > > YEAR%/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log" > > > > > > > > > > > > #*.*;local1.none;local2.none;local3.none ?HOSTS > > > > *.*;local1.none;local2.none;local3.none { > > > > ?HOSTS > > > > } > > > > > > > > #if $syslogfacility-text == 'local1' then ?APACHE > > > > if $syslogfacility-text == 'local1' then { > > > > ?APACHE > > > > } > > > > > > > > #if $syslogfacility-text == 'local2' then ?TOMCAT > > > > if $syslogfacility-text == 'local2' then { > > > > ?TOMCAT > > > > } > > > > > > > > #if $syslogfacility-text == 'local3' and not ($msg contains > > > > 'com\.company\.[A-Z]') then ?WEBAPP > > > > if $syslogfacility-text == 'local3' and not ($msg contains > > > > 'com\.company\.[A-Z]') then { > > > > ?WEBAPP > > > > } > > > > > > > > #if $syslogfacility-text == 'local3' and ($msg contains > > > > 'com\.company\.TIMING') then ?TIMING > > > > > > > > #if $syslogfacility-text == 'local3' and ($msg contains > > > > 'com\.company\.API') then ?API > > > > > > > > #if $syslogfacility-text == 'local3' and ($msg contains > > > > 'com\.company\.CLIPDATA') then ?CLIPDATA > > > > > > > > #if $syslogfacility-text == 'local3' and ($msg contains > > > > 'com\.company\.WORKFLOW') then ?WORKFLOW > > > > > > > > :fromhost-ip, !isequal, "127.0.0.1" ~ > > > > > > > > > > > > Roger Salisbury | Web Services | > > > > | T3Media(formerly Thought Equity Motion) > > > > Suite 135, 3001 E. Pershing Blvd., Cheyenne, WY 82001 > > > > E [email protected]<mailto:[email protected]> P > > > 307.316.7221 > > > > M 307.316.7221 F 720.382.2719 > > > > > > > > www.t3media.com<http://www.t3media.com/> > > > > > > > > DISCLAIMER: This electronic message together with any attachments > > is > > > > proprietary and may contain confidential or other private > > information > > > > that is property of T3Media, Inc. If you are not the intended > > > > recipient, do not copy, disclose or use the contents in any way. > > > Please > > > > also advise us by return e-mail that you have received the > message > > > and > > > > then please destroy. T3Media, Inc. is not responsible for any > > changes > > > > made to this message and / or any attachments after sending by > > > T3Media, > > > > Inc. We use virus scanning software but exclude all liability for > > > > viruses or anything similar in this email or any attachment. > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > POST > > > > if you DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST > > > if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
