Hi,
i fixed some syntax errors and used your helpfull format to find out
which properties are available for filtering
(:property, [!]compare-operation, "value").
My new config looks like (see comments):
$SystemLogSocketAnnotate on # add _UID and other usefull properties
$SystemLogParseTrusted on # Add trusted properties but I CAN'T FILTER by
those (see below)
$ActionFileDefaultTemplate RSYSLOG_DebugFormat
#:FROMHOST, isequal, "cassiopeia" -/var/log/nobody.log # works
#:$!['uid'], isequal, "2179" -/var/log/nobody.log #
not working (parsing error/ syntax error)
#:$!uid, isequal, "2179" -var/log/nobody.log
#not working (wrote every uid messages into that file)
# not working (wrote all different UID messages into that file)
#:$!uid, isequal, "2179" ~
#*.* /var/log/nobody.log
#:omusrmsg:_UID, isequal, "2179" -/var/log/nobody.log # not
working (msg: 'user name '"2179" -...' too long - ignored')
The result looks like:
Debug line with all properties:
FROMHOST: 'bar', fromhost-ip: '127.0.0.1', HOSTNAME: 'bar', PRI: 13,
syslogtag 'dsp:', programname: 'foo', APP-NAME: 'dsp', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Aug 3 14:18:24', STRUCTURED-DATA: '-',
msg: ' test'
escaped msg: ' test'
inputname: imuxsock rawmsg: '<13>Aug 3 14:18:24 foo: test'
$!:{ "pid": 8769, "uid": 2179, "gid": 2000, "appname": "logger", "cmd": "" }
$.:
$/:
How can I setup filter for $!- properties?
Thanks
On 31/07/15 09:00, David Lang wrote:
> On Fri, 31 Jul 2015, David Spautz wrote:
>
>> Hi all,
>>
>> I use debian 8 (Jessie) and RSyslog 8.4.2
>>
>> rsyslogd 8.4.2, compiled with:
>> FEATURE_REGEXP: Yes
>> GSSAPI Kerberos 5 support: Yes
>> FEATURE_DEBUG (debug build, slow code): No
>> 32bit Atomic operations supported: Yes
>> 64bit Atomic operations supported: Yes
>> memory allocator: system default
>> Runtime Instrumentation (slow code): No
>> uuid support: Yes
>> Number of Bits in RainerScript integers: 64
>>
>> I tried to setup rsyslog to use trusted properties like UID to filter
>> messages and write it to UID-seperated files
>>
>> $ModLoad imuxsock
>> $InputUnixListenSocketAnnotate on
>> $SystemLogSocketAnnotate on
>> $SystemLogUsePIDFromSystem on
>> $SystemLogParseTrusted on
>> :_UID, isequal, "0" -/tmp/test.log
>
> _UID is not a valid variable, all variables start with $
>
> write a log message with the format RSYSLOG_DebugFormat and it will
> show you all the variables you have avaialble to play with
>
> a hint, the trusted properties will show up under $! after you run
> mmjsonparse. I haven't looked to see if they show up as anything other
> than the text inside the message before you do that.
>
> run rsyslogd -N2 before you try again and resolve any syntax errors.
> When there are syntax errors in the config file, rsyslog is NOT going
> to do what you want it to.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
--
David Spautz
Consultant
credativ Ltd
Suite 5, Bloxam Court
CV21 2DU
UK office: +44 1788 298150
Email: [email protected]
Web: http://www.credativ.co.uk
--
credativ Ltd is registered in England & Wales, company no. 5261743
Certified by CompTIA / AccredIT UK with the ICT Supply standard of
quality for Software Product Design and Development
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
