Thanks again David. Robert
On Fri, May 2, 2014 at 4:37 PM, David Lang <[email protected]> wrote: > take a look at the options in www.rsyslog.com/doc/property_replacer.html > > DateFormat New format, additional parameter is needed. See below. > mysql format as mysql date > pgsql format as pgsql date > rfc3164 format as RFC 3164 date > rfc3164-buggyday similar to date-rfc3164, but emulates a common > coding error: RFC 3164 demands that a space is written for single-digit > days. With this option, a zero is written instead. This format seems to be > used by syslog-ng and the date-rfc3164-buggyday option can be used in > migration scenarios where otherwise lots of scripts would need to be > adjusted. It is recommended not to use this option when forwarding to remote > hosts - they may treat the date as invalid (especially when parsing strictly > according to RFC 3164). > rfc3339 format as RFC 3339 date > unixtimestamp format as unix timestamp (seconds since epoch) > subseconds just the subseconds of a timestamp (always 0 for a low > precision timestamp) > > > David Lang > > On Fri, 2 May 2014, robert s wrote: > >> Awesome thanks David! >> >> The only thing is that when I use %TIMESTAMP% it looks like this: >> >> May 2 16:17:24 192.168.5.153 : >> May 2 16:17:24 192.168.5.154 : >> >> I was looking for how to make it look like this: >> >> 2014-05-02T16:11:58.003716-04:00 >> 2014-05-02T16:11:58.007823-04:00 >> >> Is there someplace on the documentation that shows that? >> >> Thanks >> >> >> >> Robert >> >> >> On Fri, May 2, 2014 at 2:49 PM, David Lang <[email protected]> wrote: >>> >>> that looks about right. >>> >>> >>> David Lang >>> >>> On Fri, 2 May 2014, robert s wrote: >>> >>>> Thanks David, >>>> >>>> So something like this?: >>>> >>>> template(name="FileFormat" type="string" >>>> string= "%TIMESTAMP% %FROMHOST-IP% >>>> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" >>>> ) >>>> >>>> >>>> >>>> Robert >>>> >>>> >>>> On Fri, May 2, 2014 at 1:49 PM, David Lang <[email protected]> wrote: >>>>> >>>>> >>>>> Ok, this looks like you just need to make a new template that uses >>>>> %fromhost-ip% instead of %hostname% >>>>> >>>>> David Lang >>>>> >>>>> On Fri, 2 May 2014, robert s wrote: >>>>> >>>>>> Date: Fri, 2 May 2014 12:13:21 -0400 >>>>>> From: robert s <[email protected]> >>>>>> Reply-To: rsyslog-users <[email protected]> >>>>>> To: rsyslog-users <[email protected]> >>>>>> Subject: Re: [rsyslog] log output >>>>>> >>>>>> >>>>>> Thanks Rainer, >>>>>> >>>>>> using this filter: >>>>>> >>>>>> :fromhost, contains, "ldblzr" { >>>>>> action (type="omfile" >>>>>> template="RSYSLOG_DebugFormat"name="load" >>>>>> File="/var/log/swtichlog" >>>>>> ) >>>>>> stop >>>>>> } >>>>>> >>>>>> >>>>>> I get the following output: >>>>>> >>>>>> >>>>>> Debug line with all properties: >>>>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>>>> 'switch1.ldblzr', PRI: 189, >>>>>> syslogtag ':', programname: '', APP-NAME: '', PROCID: '-', MSGID: '-', >>>>>> TIMESTAMP: 'May 2 12:08:16', STRUCTURED-DATA: '-', >>>>>> msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >>>>>> Ethernet124/1/16 is up in mode access' >>>>>> escaped msg: ' 2014 May 2 12:08:16 EDT: %ETHPORT-5-IF_UP: Interface >>>>>> Ethernet124/1/16 is up in mode access' >>>>>> inputname: imudp rawmsg: '<189>: 2014 May 2 12:08:16 EDT: >>>>>> %ETHPORT-5-IF_UP: Interface Ethernet124/1/16 is up in mode access' >>>>>> $!: >>>>>> $.: >>>>>> $/: >>>>>> >>>>>> Debug line with all properties: >>>>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>>>> 'switch1.ldblzr', PRI: 189, >>>>>> syslogtag '1277235:', programname: '1277235', APP-NAME: '1277235', >>>>>> PROCID: '-', MSGID: '-', >>>>>> TIMESTAMP: 'May 2 12:08:23', STRUCTURED-DATA: '-', >>>>>> msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >>>>>> Interface GigabitEthernet0/11, changed state to down' >>>>>> escaped msg: ' May 2 12:08:22.817 EDT: %LINEPROTO-5-UPDOWN: Line >>>>>> protocol on Interface GigabitEthernet0/11, changed state to down' >>>>>> inputname: imudp rawmsg: '<189>1277235: May 2 12:08:22.817 EDT: >>>>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >>>>>> changed state to down' >>>>>> $!: >>>>>> $.: >>>>>> $/: >>>>>> >>>>>> Debug line with all properties: >>>>>> FROMHOST: 'switch1.ldblzr', fromhost-ip: '192.168.5.73', HOSTNAME: >>>>>> 'switch1.ldblzr', PRI: 189, >>>>>> syslogtag '1277236:', programname: '1277236', APP-NAME: '1277236', >>>>>> PROCID: '-', MSGID: '-', >>>>>> TIMESTAMP: 'May 2 12:08:26', STRUCTURED-DATA: '-', >>>>>> msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line protocol on >>>>>> Interface GigabitEthernet0/11, changed state to up' >>>>>> escaped msg: ' May 2 12:08:25.896 EDT: %LINEPROTO-5-UPDOWN: Line >>>>>> protocol on Interface GigabitEthernet0/11, changed state to up' >>>>>> inputname: imudp rawmsg: '<189>1277236: May 2 12:08:25.896 EDT: >>>>>> %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/11, >>>>>> changed state to up' >>>>>> $!: >>>>>> $.: >>>>>> $/: >>>>>> >>>>>> Robert >>>>>> >>>>>> >>>>>> On Fri, May 2, 2014 at 11:25 AM, Rainer Gerhards >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> I guess the switch emits malformed format. Use the >>>>>>> RSYSLOG_DebugFormat >>>>>>> template for this action and post a sample from it. Note that each >>>>>>> message >>>>>>> will be output on multiple lines, with all the properties as rsyslog >>>>>>> sees >>>>>>> them. rawmsg is the most interesting one. Be sure to include all >>>>>>> properties >>>>>>> (messages are sperated by a blank line with this template). >>>>>>> >>>>>>> Rainer >>>>>>> >>>>>>> >>>>>>> On Fri, May 2, 2014 at 5:04 PM, robert s <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello All, >>>>>>>> >>>>>>>> I wanted to see if anyone had run into this issue, I am currently >>>>>>>> logging information from some switches, and I have those switches >>>>>>>> locally listed on my /etc/hosts file with a specific suffix like: >>>>>>>> >>>>>>>> 10.0.0.5 switch1.ldblzr >>>>>>>> >>>>>>>> and I am filtering with a rule like this: >>>>>>>> >>>>>>>> :fromhost, contains, "ldblzr" { >>>>>>>> action (type="omfile" >>>>>>>> name="load" >>>>>>>> File="/var/log/swtichlog" >>>>>>>> ) >>>>>>>> stop >>>>>>>> } >>>>>>>> >>>>>>>> The issue that I am running into is that when the logs go to the >>>>>>>> "switchlog". The way that they are being written is: >>>>>>>> >>>>>>>> 2014-05-02T09:19:14.004379-04:00 switch.ldbzr 98563: May 2 >>>>>>>> 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication failure for SNMP >>>>>>>> req from host 10.0.0.3 >>>>>>>> >>>>>>>> I would like them to be written as: >>>>>>>> >>>>>>>> 2014-05-02T09:19:14.004379-04:00 (IP ADDRESS INSTEAD OF HOSTNAME) >>>>>>>> 98563: May 2 09:19:13.005 EDT: %SNMP-3-AUTHFAIL: Authentication >>>>>>>> failure for SNMP req from host 10.0.0.3 >>>>>>>> >>>>>>>> I am wondering if this is a template issue or an output module >>>>>>>> parameter issue, or just misconfiguration on my part? >>>>>>>> >>>>>>>> Any input will be appreciated >>>>>>>> >>>>>>>> Thanks in advance >>>>>>>> >>>>>>>> >>>>>>>> Robert >>>>>>>> _______________________________________________ >>>>>>>> rsyslog mailing list >>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>>>> myriad >>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>>>>> you >>>>>>>> DON'T LIKE THAT. >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>>> myriad >>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>>>>> you >>>>>>> DON'T >>>>>>> LIKE THAT. >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> myriad >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T >>>>>> LIKE THAT. >>>>>> >>>>> _______________________________________________ >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> of >>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T >>>>> LIKE THAT. >>>> >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T >>>> LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
