On Sun, 1 Oct 2017, at 11:50, David Lang wrote: > any time you have a question like this, first log locally with the format > RSYSLOG_DebugFormat so that you can see exactly what data you have where. > > In this case, you will need to enable metadata in your imfile config, > this will > add the filename (and other information), but it doesn't do this by > changing the > message itself, it does this by creating file (under $!) > > so you will need to look at the debug output and then decide how you are > going > to format the output message so that it contains the data. > > do you want to add a field at the beginning of the message? (will the > things you > are sending it to know what to do? or will it confuse their parsers?) > > What I like to do is to send everything as a RFC3164 message, but with > the body > of the message being a JSON structure. I set $!msg to the contents of > $msg (if a > parser hasn't already done this for me), and I create a $!trusted branch > that I > can add various metadata to (not just filename, but what input, what > machine > sent it, what machine received it, what time each machine touched the > message, > etc) > > at the final destination, I have all that data available and can either > use it, > or create a template that just writes out a RFC3164 style message with > the > original message content.
Is there any reason why you prefer RFC3164 vs the later RFC5424 http://datatracker.ietf.org/doc/rfc5424 ? Thanks Dave _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
