Thanks David, So something like this?:
template(name="FileFormat" type="string" string= "%TIMESTAMP% %FROMHOST-IP% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" ) Robert On Fri, May 2, 2014 at 1:49 PM, David Lang <[email protected]> wrote: > Ok, this looks like you just need to make a new template that uses > %fromhost-ip% instead of %hostname% > > David Lang > > On Fri, 2 May 2014, robert s wrote: > >> Date: Fri, 2 May 2014 12:13:21 -0400 >> From: robert s <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] log output >> >> >> Thanks Rainer, >> >> using this filter: >> >> :fromhost, contains, "ldblzr" { >> action (type="omfile" >> template="RSYSLOG_DebugFormat"name="load" >> File="/var/log/swtichlog" >> ) >> stop >> } >> >> >> I get the following output: >> >> >> Debug line with all properties: >> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >> 'switch1.ldblzr', PRI: 189, >> syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', >> TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-', >> msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >> Ethernet124/1/16 is up in mode access' >> escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >> Ethernet124/1/16 is up in mode access' >> inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT: >> %ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access' >> $!: >> $.: >> $/: >> >> Debug line with all properties: >> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >> 'switch1.ldblzr', PRI: 189, >> syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235', >> PROCID: '-', MSGID: '-', >> TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-', >> msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >> Interface GigabitEthernet0/11, changed state to down' >> escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line >> protocol on Interface GigabitEthernet0/11, changed state to down' >> inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT: >> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >> changed state to down' >> $!: >> $.: >> $/: >> >> Debug line with all properties: >> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >> 'switch1.ldblzr', PRI: 189, >> syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236', >> PROCID: '-', MSGID: '-', >> TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-', >> msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >> Interface GigabitEthernet0/11, changed state to up' >> escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line >> protocol on Interface GigabitEthernet0/11, changed state to up' >> inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT: >> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >> changed state to up' >> $!: >> $.: >> $/: >> >> Robert >> >> >> On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards >> <[email protected]> wrote: >>> >>> I guess the switch emits malformed format. Use the RSYSLOG_DebugFormat >>> template for this action and post a sample from it. Note that each >>> message >>> will be output on multiple lines, with all the properties as rsyslog sees >>> them. rawmsg is the most interesting one. Be sure to include all >>> properties >>> (messages are sperated by a blank line with this template). >>> >>> Rainer >>> >>> >>> On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]> wrote: >>> >>>> Hello All, >>>> >>>> I wanted to see if anyone had run into this issue, I am currently >>>> logging information from some switches, and I have those switches >>>> locally listed on my /etc/hosts file with a specific suffix like: >>>> >>>> 10.0.0.5 switch1.ldblzr >>>> >>>> and I am filtering with a rule like this: >>>> >>>> :fromhost, contains, "ldblzr" { >>>> action (type="omfile" >>>> name="load" >>>> File="/var/log/swtichlog" >>>> ) >>>> stop >>>> } >>>> >>>> The issue that I am running into is that when the logs go to the >>>> "switchlog". The way that they are being written is: >>>> >>>> 2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May 2 >>>> 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP >>>> req from host 10.0.0.3 >>>> >>>> I would like them to be written as: >>>> >>>> 2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME) >>>> 98563: May 2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication >>>> failure for SNMP req from host 10.0.0.3 >>>> >>>> I am wondering if this is a template issue or an output module >>>> parameter issue, or just misconfiguration on my part? >>>> >>>> Any input will be appreciated >>>> >>>> Thanks in advance >>>> >>>> >>>> Robert >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
