Something like this...
if ($inputname contains ["-5145-in"]) then {
set $.Zappname = "NAME1";
set $.Zbu = "BU1";
set $.Zappid = "APPID1";
} else if ($inputname contains ["-5139-in"]) then {
set $.Zappname = "NAME2";
set $.Zbu = "BU2";
set $.Zappid = "-";
} else if ($inputname == "imfile") then {
if ($!metadata!filename contains ["file1_"]) then {
set $.Zappname = "NAME3";
set $.Zbu = "BU3";
set $.Zappid = "-";
} else if ($!metadata!filename contains ["file2_"]) then {
set $.Zappname = "NAME4";
set $.Zbu = "BU4";
set $.Zappid = "APPID4";
} else {
set $.Zappname = "-";
set $.Zbu = "-";
set $.Zappid = "-";
}
} else if ($inputname == "impstats") then {
set $.Zappname = "rsyslog";
set $.Zbu = "LOGGING";
set $.Zappid = "-";
} else {
set $.Zappname = "-";
set $.Zbu = "-";
set $.Zappid = "-";
}
}
Then you can test against the new variables later or use in templates.
And yes, getting consistently useful information out of pstats is always
easier if all your actions each have a unique name.
Regards,
On 4/24/19 2:48 PM, Gorman, Kevin via rsyslog wrote:
I'm trying to correlate on something currently not in the messages, or I'm not
seeing the tag, such as log filename.
-----Original Message-----
From: David Lang [mailto:[email protected]]
Sent: Wednesday, April 24, 2019 1:37 PM
To: Gorman, Kevin via rsyslog
Cc: Gorman, Kevin
Subject: [E] Re: [rsyslog] Adding a parameter/property to an input
On Wed, 24 Apr 2019, Gorman, Kevin via rsyslog wrote:
An earlier mail had a suggestion to add a name to the *.* action. That looks
easy enough since name is an action parameter.
by the way, with 8.x you can leave out the *.*, you could just to
call linux_forward
Unfortunately, my action is in a ruleset, so everything gets the same name. It
would be useful to add some parameter to the inputs to ID them, or add a
property to the messages in the inputs. I haven't found a way to do either but
I have been studying the docs. This is on the old 8.24 version used on RHEL 7
and I can't change it.
The idea is to have something to correlate messages with on the remote end,
such as a custom message property.
you set the tag on the messages as part of your imfile config.
what type of things are you trying to correlate on? can you give some example
messages?
one thing I like to do is to have my relays do message parsing and then pass
json in the body of the message ($! setting $!msg = $msg)), and I reserve the
namespace 'trusted' for the relays to add metadata to the log message.
on the receiving server, you can then parse the message body and retrieve all
the variables that were set, including the original msg body so you can
recreate the original message as/if needed.
David Lang
module(load="imfile" mode="inotify")
global (
parser.dropTrailingLFOnReception="on"
parser.escapeControlCharactersOnReceive="on"
workDirectory="/var/lib/rsyslog"
)
# VIPS
# CO 2001:4888:a05:3161:e0:9:0:100
# TX 2001:4888:a03:3161:c0:9:0:100
# SD 2001:4888:a00:3161:f0:9:0:100
# Vendor fd00:0:a05:3161:e0:9::100
# Dublin
ruleset(
name="linux_forward"
queue.type="LinkedList"
queue.filename="FwdRule0"
queue.maxDiskSpace="1g"
queue.saveOnShutdown="on"
) {
action(
type="omfwd"
name="all_logs"
target="2001:4888:a00:3161:f0:9:0:100" # logserver VIP
protocol="tcp"
port="5544"
action.resumeRetryCount="-1"
)
}
*.* call linux_forward
input(
type="imfile"
ruleset="linux_forward"
tag="ansible"
file="/var/log/ansible.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="audit"
file="/var/log/audit.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="iptables"
file="/var/log/iptables.log"
escapeLF="on"
)
input(
type="imfile"
ruleset="linux_forward"
tag="firewalld"
file="/var/log/firewalld"
escapeLF="on"
)
_______________________________________________
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
