this way you use the tag that you set on the input line to create the
metadata fields you want with only one ruleset for all the app inputs.
cool!
The other thing you could do is to create a table lookup to map the
programname (the value you set as the tag in the input) to the values
you want. This would let you use arbitrary values for tags rather than
having to have them follow a specific format.
Or even it could help me to link groups and apps, in order not to
hardcode them.
I'll let that for version 2, if you don't mind :P
if $group == ["group1","group2"] then {
set $.logline = $programname + " " + $!msg;
action(name="parseapp" type="mmnormalize" variable="$.logline"
rulebase=:/path/to/combined/rules.fb")
call index
stop
}
I'm not sure I understood this, so let me ask a few questions:
- what you are proposing is mmnormalize to parse "APP MSG", isn't it?
- I guess you are parsing "any group $programname", cause same
$programname may share same lognorm format, isn't it?
- how could I combine multiple rule files without hardcoded includes?
I guess my only option is a script that merges...
I like the way you solved that with variable :D
Pending further testing/playing.
# I would consider adding a section here to look for parsing failures
and log them to someplace for later investigation, probably in raw format
That's mandatory. is there any easy way to catch norm failures?
This way you can do per-app parser files and include them in your
combined rulebase file if you want.
This still leaves you listing the groups in the main file. If this is
enough of a problem, you could create a table that mapped all known
programnames to 'known' and the test would be something like
if lookup_table("apps","$programname") == "known" then {
(with some other stuff earlier to load the table)
I'll have a look on lookup_tables later, although they seem to be great
savers!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
