Adam Cecile wrote:
You got it ! It does not like rules setting, switching to external file
with rulebase works... Probably a too old version.
probably
It also does not seems to be able to set path, to nest new properties,
but this is not really important.
that is not something that is currently supported, it's been a wish-list item of
mine for years, but I haven't attempted coding it and haven't had the money to
sponsor a fix (my suggestion is a fixup message modification module that goes
through and fixes variable naming issues, if it has an embedded ! in it, make it
nested, fix capitalization, deal with duplicates, etc)
David Lang
Thanks a lot for your help !
Btw, do you have any suggestion about how to re-compose date-time object
from the individual fields, I'd like to hear from you
On 5/22/24 00:38, David Lang wrote:
if you do rsyslogd -N1 does it complain about anything?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:32:25 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
Message if being parsed to JSON object with all fields I have in rule
(e.g: year or dsd-message)... So I guess parsing works, it is just
not run by my configuration file
On May 22, 2024 12:30:19 AM GMT+02:00, David Lang <da...@lang.hm> wrote:
if you post that exact text into your liblognorm test, what do you get?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
No ;-)
Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'gz-tuma', PRI: 133,
syslogtag 'trace.log', programname: 'trace.log', APP-NAME:
'trace.log', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 21 23:56:46', STRUCTURED-DATA: '-',
msg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
escaped msg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
inputname: imfile rawmsg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
$!:{ "metadata": { "filename": "<redacted>", "fileoffset":
"3396674" } }
$.:{ "pcc": "t7" }
$/:
On 5/22/24 00:20, David Lang wrote:
if you look at the msg field in the RSYSLOG_DebugFormat output,
you will see that it does have a leading space. your pattern doesn't
David Lang
On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:
Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
Just tried, no leading space, message is correct however the log
does not contains any trace indicating mmnormalize has tried to
do something.
I guess it is just NOT active for some reason...
On 5/21/24 23:50, David Lang wrote:
log the message with RSYSLOG_DebugFormat so that you can see the
variables that exist.
my guess is that your rule needs a leading space, because the
msg field you are parsing starts with a space (a very common
problem when you are starting to use mmnormalize)
David Lang
On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:
Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: [rsyslog] Unable to re-use variable generated by
mmnormalize
Hello,
I'm struggling to understand how to use mmnormalize module. My
configuration snippet is the following:
template(name="recordRfc3164FileOutput" type="list") {
property(name="timestamp" dateFormat="rfc3164")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="$.pcc")
constant(value="@")
property(name="syslogtag")
constant(value=":")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
ruleset(
name="extractPccNameFromRecordLog"
)
{
set
$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC");
action(
type="mmnormalize"
rule=["rule=:[%day:number%/%month:number%/%year:number%
%hour:number%:%minutes:number%:%seconds:number%]
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]
useRawMsg="off"
)
action(
type="omfile"
dirCreateMode="0755"
FileCreateMode="0644"
File="/var/log/record.log"
template="recordRfc3164FileOutput"
)
}
input(
type="imfile"
file="/path/to/record_*/*.log"
tag="trace.log"
addmetadata="on"
ruleset="extractPccNameFromRecordLog"
)
Extraction of pattern from imfile filepath is working fine,
mmnormalize rule is working fine too, according to my test
using "lognormalizer" command line tool to test it.
So I guessed, I could be able to replace property(name="msg")
with property(name="$.dsd-message") or
property(name="$!dsd-message") but all I get is an empty string.
Is there something I missed ?
Thanks in advance,
Regards, Adam.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
