Thanks, I'll have to look at that for a bit.
-----Original Message-----
From: rsyslog [mailto:[email protected]] On Behalf Of John
Chivian via rsyslog
Sent: Wednesday, April 24, 2019 3:08 PM
To: [email protected]
Cc: John Chivian
Subject: Re: [rsyslog] [E] Re: Adding a parameter/property to an input
Something like this...
if ($inputname contains ["-5145-in"]) then {
set $.Zappname = "NAME1";
set $.Zbu = "BU1";
set $.Zappid = "APPID1";
} else if ($inputname contains ["-5139-in"]) then {
set $.Zappname = "NAME2";
set $.Zbu = "BU2";
set $.Zappid = "-";
} else if ($inputname == "imfile") then {
if ($!metadata!filename contains ["file1_"]) then {
set $.Zappname = "NAME3";
set $.Zbu = "BU3";
set $.Zappid = "-";
} else if ($!metadata!filename contains ["file2_"]) then {
set $.Zappname = "NAME4";
set $.Zbu = "BU4";
set $.Zappid = "APPID4";
} else {
set $.Zappname = "-";
set $.Zbu = "-";
set $.Zappid = "-";
}
} else if ($inputname == "impstats") then {
set $.Zappname = "rsyslog";
set $.Zbu = "LOGGING";
set $.Zappid = "-";
} else {
set $.Zappname = "-";
set $.Zbu = "-";
set $.Zappid = "-";
}
}
Then you can test against the new variables later or use in templates.
And yes, getting consistently useful information out of pstats is always easier
if all your actions each have a unique name.
Regards,
On 4/24/19 2:48 PM, Gorman, Kevin via rsyslog wrote:
> I'm trying to correlate on something currently not in the messages, or I'm
> not seeing the tag, such as log filename.
>
> -----Original Message-----
> From: David Lang [mailto:[email protected]]
> Sent: Wednesday, April 24, 2019 1:37 PM
> To: Gorman, Kevin via rsyslog
> Cc: Gorman, Kevin
> Subject: [E] Re: [rsyslog] Adding a parameter/property to an input
>
> On Wed, 24 Apr 2019, Gorman, Kevin via rsyslog wrote:
>
>> An earlier mail had a suggestion to add a name to the *.* action. That looks
>> easy enough since name is an action parameter.
> by the way, with 8.x you can leave out the *.*, you could just to
>
> call linux_forward
>
>> Unfortunately, my action is in a ruleset, so everything gets the same name.
>> It would be useful to add some parameter to the inputs to ID them, or add a
>> property to the messages in the inputs. I haven't found a way to do either
>> but I have been studying the docs. This is on the old 8.24 version used on
>> RHEL 7 and I can't change it.
>>
>> The idea is to have something to correlate messages with on the remote end,
>> such as a custom message property.
> you set the tag on the messages as part of your imfile config.
>
> what type of things are you trying to correlate on? can you give some example
> messages?
>
> one thing I like to do is to have my relays do message parsing and then pass
> json in the body of the message ($! setting $!msg = $msg)), and I reserve the
> namespace 'trusted' for the relays to add metadata to the log message.
>
> on the receiving server, you can then parse the message body and retrieve all
> the variables that were set, including the original msg body so you can
> recreate the original message as/if needed.
>
> David Lang
>
>> module(load="imfile" mode="inotify")
>>
>> global (
>> parser.dropTrailingLFOnReception="on"
>> parser.escapeControlCharactersOnReceive="on"
>> workDirectory="/var/lib/rsyslog"
>> )
>>
>> # VIPS
>> # CO 2001:4888:a05:3161:e0:9:0:100
>> # TX 2001:4888:a03:3161:c0:9:0:100
>> # SD 2001:4888:a00:3161:f0:9:0:100
>> # Vendor fd00:0:a05:3161:e0:9::100
>> # Dublin
>>
>> ruleset(
>> name="linux_forward"
>> queue.type="LinkedList"
>> queue.filename="FwdRule0"
>> queue.maxDiskSpace="1g"
>> queue.saveOnShutdown="on"
>> ) {
>> action(
>> type="omfwd"
>> name="all_logs"
>> target="2001:4888:a00:3161:f0:9:0:100" # logserver VIP
>> protocol="tcp"
>> port="5544"
>> action.resumeRetryCount="-1"
>> )
>> }
>>
>> *.* call linux_forward
>>
>> input(
>> type="imfile"
>> ruleset="linux_forward"
>> tag="ansible"
>> file="/var/log/ansible.log"
>> escapeLF="on"
>> )
>>
>> input(
>> type="imfile"
>> ruleset="linux_forward"
>> tag="audit"
>> file="/var/log/audit.log"
>> escapeLF="on"
>> )
>>
>> input(
>> type="imfile"
>> ruleset="linux_forward"
>> tag="iptables"
>> file="/var/log/iptables.log"
>> escapeLF="on"
>> )
>>
>> input(
>> type="imfile"
>> ruleset="linux_forward"
>> tag="firewalld"
>> file="/var/log/firewalld"
>> escapeLF="on"
>> )
>>
>>
>> _______________________________________________
_______________________________________________
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailman_listinfo_rsyslog&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=Ljm5KtqwsGOyt-8A6LeYyzb0REAcbWg0XRZ8-0-jf_Y&s=QOdtGOM-VqYXcjjbR2yQctsG-UEaTeKJje0xdiXZM7A&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professional-2Dservices_&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=Ljm5KtqwsGOyt-8A6LeYyzb0REAcbWg0XRZ8-0-jf_Y&s=d5KjUkTfOP9aSJuu_EoF6IeG61q3dxU0KYbVG0CIHZg&e=
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=stJ62L_yqJWGrxRl6wWPMpHwvVUmOyXDBgn3Xxfk-6U&m=Ljm5KtqwsGOyt-8A6LeYyzb0REAcbWg0XRZ8-0-jf_Y&s=vR1jEtKwrOelxNYNlpQRZzMWuNQgUCxKgvd_-U-tr8o&e=
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
