On Tue, 1 Apr 2014, Radu Gheorghe wrote:
Hi Barry,
I think the problem is that the remote server expects a RFC-3164 or
RFC-5424 formatted message. It also tries to guess stuff if your messages
aren't compatible, but I wouldn't count on that.
agreed, on the server, write a log with the format RSYSLOG_DebugFormat and look
at it, I'll bet that your tag will show up in the rawlog, and that you will be
surprised at what variable it gets parsed into.
David Lang
Where do you want your tag to live? Beginning of the message? In the place
of the actual syslog tag?
Here's a template for RFC-3164, that will work with old rsyslogs:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
Now, you can add your tag wherever you want. Like, if you want it at the
beginning of the message, your custom template could be:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%CUSTOM_TAG
%msg%"
On Tue, Apr 1, 2014 at 7:25 AM, Barry Haycock <[email protected]>wrote:
Hi,
I have a large number of RedHat servers mostly running RHEL 6.x and the
default 5.x Rsyslog software.
Upgrading to the next major release is out of the question at this time as
this is at a client site.
I have been trying to add a tag to a different log types.
At the moment the log is being written locally and to the remote server.
The same tag is being applied to both instances of the log but the remote
server is receiving the unedited version of the log entry while the local
log is receiving the edited version.
Tag:
$template VLMessagesFwd, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% _XXXX
%TIMESTAMP:::DATE-RFC3339" %HOSTNAME%%msg:::sp-if-no-1st-sp%%msg%\n"
*.info;mail.none;authpriv.none;cron.none
/var/log/messages;VLMessagesFwd
& @@Server-002.<DOMAIN>:6172;VLMessagesFwd
in this case the tag is being applied to /var/log/messages but not the
remote server even though the logs are arriving at the remote server
Running the server in debug shows the template being applied to both the
local log entry and the remote server. via cfline entries
cfline: '*.info;mail.none;authriv.none;cron.none
/var/log/messages;VLMessagesFwd
template: 'VLMessagesFwd' assigned
&
cfline: '& @@Server-002.<DOMAIN>:6172;VLMessagesFwd'
template: 'VLMessagesFwd' assigned
I have more debug output if it is required .
Any ideas on what is missing?
--
Barry
(M) 0411 064 000
(F) 02 6257 7308
Banpen Fugyou - 10,000 Changes, No surprises
Key Fingerprint: 4CFF 5276 1BF5 DFD4 684B CBD2 E414 6292 D40E BBFD
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
