Re: [rsyslog] property replacer and regexps

2013-03-20 Thread Gary Foster 
Yeah I already know how to set/unset etc (I'm doing that in other places).  
Fields won't work because the data I'm getting in is incredibly poorly 
structured, and pulling it out via a regex is the most tenable way of doing it.

Bear in mind I do subscribe to the philosophy "I've got a problem… I'll use a 
regex to solve it!  Oh great, now I've got TWO problems!" :) but in this case 
based upon the source data it's really the most maintainable approach.

I'm moving the data generators to using CEE to generate their events instead, 
but that's not a simple transition and in the interim I am looking for 
stopgaps.  The ability to set a var based upon a regexp extraction is really 
what I'm struggling with trying to figure out at this time.

-- Gary F.

On Mar 20, 2013, at 2:57 PM, Philippe Muller  wrote:

> The syntax is:
> set $!var = "foo";
> unset $!var;
> (don't forget the trailing ";")
> 
> I don't know how to set it from a regex, but if you simply want to split a
> string based on a delimiter, you can use the field() function.
> For example, you can get the second part of a string delimited by slashes
> ("/") :
> set $!var = field($somevar, 47, 2);
> 
> For more information about functions, see
> http://www.rsyslog.com/doc/rainerscript.html
> 
> 
> Philippe Muller
> 
> 
> On Wed, Mar 20, 2013 at 10:36 PM, David Lang  wrote:
> 
>> Version 7 has added the ability to set variables that you can use later,
>> earlier versions do not have that capability.
>> 
>> now, exactly _how_ to set it from a regex is something I would have to dig
>> further on.
>> 
>> David Lang
>> 
>> On Wed, 20 Mar 2013, Gary Foster wrote:
>> 
>> Date: Wed, 20 Mar 2013 14:30:17 -0700
>>> From: Gary Foster 
>>> Reply-To: rsyslog-users 
>>> To: rsyslog-users 
>>> Subject: [rsyslog] property replacer and regexps
>>> 
>>> 
>>> Let's say I want to set an arbitrary variable in my rsyslog.conf based
>>> upon a regexp match against the incoming message.  For example (warning,
>>> completely contrived examples incoming):
>>> 
>>> incoming message is "foo:bar=10:baz&blah:blah:**blah"
>>> 
>>> I want to do something like:
>>> 
>>> set %!somevar = 
>>> 
>>> (why?  Well, I may want to use it in a generic template or other things?
>>> I don't want to create a specialized template for every possible match)
>>> 
>>> 
>>> Now I would normally turn to the property replacer and instead of the
>>> above I'd do something like this:
>>> 
>>> %msg:R,ERE,1,DFLT:=(.+):.+&--**end%
>>> 
>>> Which works fine with real properties ($msg, $pri, etc) but not so great
>>> with user or extended properties like %!somevar as far as I can determine.
>>> 
>>> You'd think it would be simply something like:
>>> 
>>> %somevar:R,ERE,1,DFLT:=(.+):.+**&--end%
>>> 
>>> but when I then try to access that variable later on in a template like
>>> this:
>>> 
>>> template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if
>>> $!somevar == "10" then)
>>> 
>>> It tells me it's an invalid property (plain old %$somevar% doesn't work
>>> either).
>>> 
>>> I tried various incarnations of:
>>> 
>>> set $!somevar = ;
>>> 
>>> as well, also with no success.
>>> 
>>> My question is, first *can* I do this (set an arbitrary user level
>>> variable to the contents of a regex match) or barring that is there another
>>> way I can do this?  For the record, I'm doing this for a LOT of different
>>> log entries and am checking the logs for what we call "beacons".  I do not
>>> necessarily want to write a slew of different templates based upon the
>>> values of these beacons (I do various different things with the output
>>> depending on the value of the beacon) so a purely template approach while
>>> possible, is not optimal for my situation.
>>> 
>>> Thanks!
>>> 
>>> -- Gary F.
>>> 
>>> __**_
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/**professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>> 
>>> __**_
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog
>> http://www.rsyslog.com/**professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>> 
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's

Re: [rsyslog] property replacer and regexps

2013-03-20 Thread Philippe Muller 
The syntax is:
set $!var = "foo";
unset $!var;
(don't forget the trailing ";")

I don't know how to set it from a regex, but if you simply want to split a
string based on a delimiter, you can use the field() function.
For example, you can get the second part of a string delimited by slashes
("/") :
set $!var = field($somevar, 47, 2);

For more information about functions, see
http://www.rsyslog.com/doc/rainerscript.html


Philippe Muller


On Wed, Mar 20, 2013 at 10:36 PM, David Lang  wrote:

> Version 7 has added the ability to set variables that you can use later,
> earlier versions do not have that capability.
>
> now, exactly _how_ to set it from a regex is something I would have to dig
> further on.
>
> David Lang
>
> On Wed, 20 Mar 2013, Gary Foster wrote:
>
>  Date: Wed, 20 Mar 2013 14:30:17 -0700
>> From: Gary Foster 
>> Reply-To: rsyslog-users 
>> To: rsyslog-users 
>> Subject: [rsyslog] property replacer and regexps
>>
>>
>> Let's say I want to set an arbitrary variable in my rsyslog.conf based
>> upon a regexp match against the incoming message.  For example (warning,
>> completely contrived examples incoming):
>>
>> incoming message is "foo:bar=10:baz&blah:blah:**blah"
>>
>> I want to do something like:
>>
>> set %!somevar = 
>>
>> (why?  Well, I may want to use it in a generic template or other things?
>> I don't want to create a specialized template for every possible match)
>>
>>
>> Now I would normally turn to the property replacer and instead of the
>> above I'd do something like this:
>>
>> %msg:R,ERE,1,DFLT:=(.+):.+&--**end%
>>
>> Which works fine with real properties ($msg, $pri, etc) but not so great
>> with user or extended properties like %!somevar as far as I can determine.
>>
>> You'd think it would be simply something like:
>>
>> %somevar:R,ERE,1,DFLT:=(.+):.+**&--end%
>>
>> but when I then try to access that variable later on in a template like
>> this:
>>
>> template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if
>> $!somevar == "10" then)
>>
>> It tells me it's an invalid property (plain old %$somevar% doesn't work
>> either).
>>
>> I tried various incarnations of:
>>
>> set $!somevar = ;
>>
>> as well, also with no success.
>>
>> My question is, first *can* I do this (set an arbitrary user level
>> variable to the contents of a regex match) or barring that is there another
>> way I can do this?  For the record, I'm doing this for a LOT of different
>> log entries and am checking the logs for what we call "beacons".  I do not
>> necessarily want to write a slew of different templates based upon the
>> values of these beacons (I do various different things with the output
>> depending on the value of the beacon) so a purely template approach while
>> possible, is not optimal for my situation.
>>
>> Thanks!
>>
>> -- Gary F.
>>
>> __**_
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog
>> http://www.rsyslog.com/**professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>>  __**_
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog
> http://www.rsyslog.com/**professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] property replacer and regexps

2013-03-20 Thread David Lang 
Version 7 has added the ability to set variables that you can use later, earlier 
versions do not have that capability.


now, exactly _how_ to set it from a regex is something I would have to dig 
further on.


David Lang

On Wed, 20 Mar 2013, Gary Foster wrote:


Date: Wed, 20 Mar 2013 14:30:17 -0700
From: Gary Foster 
Reply-To: rsyslog-users 
To: rsyslog-users 
Subject: [rsyslog] property replacer and regexps

Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a 
regexp match against the incoming message.  For example (warning, completely 
contrived examples incoming):

incoming message is "foo:bar=10:baz&blah:blah:blah"

I want to do something like:

set %!somevar = 

(why?  Well, I may want to use it in a generic template or other things? I 
don't want to create a specialized template for every possible match)

Now I would normally turn to the property replacer and instead of the above I'd 
do something like this:

%msg:R,ERE,1,DFLT:=(.+):.+&--end%

Which works fine with real properties ($msg, $pri, etc) but not so great with 
user or extended properties like %!somevar as far as I can determine.

You'd think it would be simply something like:

%somevar:R,ERE,1,DFLT:=(.+):.+&--end%

but when I then try to access that variable later on in a template like this:

template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if $!somevar == 
"10" then)

It tells me it's an invalid property (plain old %$somevar% doesn't work either).

I tried various incarnations of:

set $!somevar = ;

as well, also with no success.

My question is, first *can* I do this (set an arbitrary user level variable to the 
contents of a regex match) or barring that is there another way I can do this?  For the 
record, I'm doing this for a LOT of different log entries and am checking the logs for 
what we call "beacons".  I do not necessarily want to write a slew of different 
templates based upon the values of these beacons (I do various different things with the 
output depending on the value of the beacon) so a purely template approach while 
possible, is not optimal for my situation.

Thanks!

-- Gary F.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] property replacer and regexps

2013-03-20 Thread Gary Foster 
Let's say I want to set an arbitrary variable in my rsyslog.conf based upon a 
regexp match against the incoming message.  For example (warning, completely 
contrived examples incoming):

incoming message is "foo:bar=10:baz&blah:blah:blah"

I want to do something like:

set %!somevar = 

(why?  Well, I may want to use it in a generic template or other things… I 
don't want to create a specialized template for every possible match)

Now I would normally turn to the property replacer and instead of the above I'd 
do something like this:

%msg:R,ERE,1,DFLT:=(.+):.+&--end%

Which works fine with real properties ($msg, $pri, etc) but not so great with 
user or extended properties like %!somevar as far as I can determine.

You'd think it would be simply something like:

%somevar:R,ERE,1,DFLT:=(.+):.+&--end%

but when I then try to access that variable later on in a template like this:

template tpl,"foo: %$!somevar%\n" or use it in a filtering action (if $!somevar 
== "10" then)

It tells me it's an invalid property (plain old %$somevar% doesn't work either).

I tried various incarnations of:

set $!somevar = ;

as well, also with no success.

My question is, first *can* I do this (set an arbitrary user level variable to 
the contents of a regex match) or barring that is there another way I can do 
this?  For the record, I'm doing this for a LOT of different log entries and am 
checking the logs for what we call "beacons".  I do not necessarily want to 
write a slew of different templates based upon the values of these beacons (I 
do various different things with the output depending on the value of the 
beacon) so a purely template approach while possible, is not optimal for my 
situation.

Thanks!

-- Gary F.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Max Message Size

2013-03-20 Thread David Lang 

On Wed, 20 Mar 2013, Boylan, James wrote:

You need to set that at the top of your config to have that actually take 
effect. I ran into this same problem. For simplicity sake make it the first 
line of your config.


A more complete answer is that the config option only affects inputs after it in 
the config, so you could configure multiple inputs (on multiple ports) with 
different messages sizes if you wanted to by setting this to different values 
before the line that starts the listener.


This is the way everything in the rsyslog config works, and most cases of 'why 
didn't this config option have the effect I expected' boil down to this type of 
problem.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Max Message Size

2013-03-20 Thread Boylan, James 
You need to set that at the top of your config to have that actually take 
effect. I ran into this same problem. For simplicity sake make it the first 
line of your config.

-- James 


-Original Message-
From: rsyslog-boun...@lists.adiscon.com 
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of Rodrian, Logan P (IS)
Sent: Wednesday, March 20, 2013 1:27 PM
To: rsyslog@lists.adiscon.com
Subject: [rsyslog] Max Message Size

Hello-

I am using rsyslog across machines to send logs.  I have the $MaxMessageSize 
global directive set on both machines to 4096 (4k).  Using wireshark between 
the machines, I can see that the message text I am trying to send (2694) is 
transmitted in its entirety.  However, the syslog log file on the receiving end 
indicated the 2694 message was too big and was truncated to 2048, the 2k 
default.  I believed that setting the directive as I did would affect the 
receiving size, but it appears not.  How can I modify the message receive max 
size for an imtcp module?


Logan Rodrian
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is 
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our 
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Max Message Size

2013-03-20 Thread Rodrian, Logan P (IS) 
Hello-

I am using rsyslog across machines to send logs.  I have the $MaxMessageSize 
global directive set on both machines to 4096 (4k).  Using wireshark between 
the machines, I can see that the message text I am trying to send (2694) is 
transmitted in its entirety.  However, the syslog log file on the receiving end 
indicated the 2694 message was too big and was truncated to 2048, the 2k 
default.  I believed that setting the directive as I did would affect the 
receiving size, but it appears not.  How can I modify the message receive max 
size for an imtcp module?


Logan Rodrian
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Feedback Request: merge patch? (especially BSD users, pls)

2013-03-20 Thread David Lang 

On Wed, 20 Mar 2013, Rainer Gerhards wrote:


Hi folks,

I have a merge request[1] which I am a bit skeptic about. I have hoped the the 
original poster would come up with a better solution, but this does not 
happen. The patch intends to change facility names on BSD platforms. The end 
result will be that rsyslog.conf from different platforms will no longer be 
compatible.


I tend to reject the patch for that reason (whoever uses rsyslog on BSD should 
probably update his config to the universal naming IMHO).


Does anybody here think it would still be the right thing to merge that patch?


There has always been the problem that auth and security have been two names for 
the same facility number.


I think it would be good to have either name match when doing tests, on any 
platform, because messages get forwarded from one platform to another and people 
think in terms of names not numbers.


If the only difference was what string shows up in templates, I would say to go 
ahead and have it as a config option ($bsdfacilitynames=true).


The problem is that doing this 'correctly' is a much more complicated patch, 
especially to allow


if $syslogfacility-text = 'auth' action

and

if $syslogfacility-text = 'security' action

to do the same thing

If it does not allow the above special caseing, then things are much uglier, and 
at most it should be $BSDnotRFCfacilitynames=true to indicate that this is 
violating the RFC in favor of BSD historic actions.



By the way, I don't know what version they are dealing with, but what about the 
removal of the BSD block configs as options, are they aware of that change?


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] libestr 0.1.5 released -- v7-devel Ubuntu Precise repo not signed

2013-03-20 Thread Nathan Stratton Treadway 
On Wed, Mar 20, 2013 at 13:58:57 +, Andre Lorbach wrote:
> The Release.gpg should from now on be available, can you verify / test this? 

Looks good -- I see the Release.gpg file out there, and when I bring up
the package listing the packages from this repository are no longer
flagged as untrusted.

Thanks.

Nathan


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Feedback Request: merge patch? (especially BSD users, pls)

2013-03-20 Thread Rainer Gerhards 
Hi folks,

I have a merge request[1] which I am a bit skeptic about. I have hoped the the 
original poster would come up with a better solution, but this does not happen. 
The patch intends to change facility names on BSD platforms. The end result 
will be that rsyslog.conf from different platforms will no longer be compatible.

I tend to reject the patch for that reason (whoever uses rsyslog on BSD should 
probably update his config to the universal naming IMHO).

Does anybody here think it would still be the right thing to merge that patch?

Thanks,
Rainer

[1] http://bugzilla.adiscon.com/show_bug.cgi?id=314
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] libestr 0.1.5 released -- v7-devel Ubuntu Precise repo not signed

2013-03-20 Thread Andre Lorbach 
The Release.gpg should from now on be available, can you verify / test this? 

Best regards,
Andre Lorbach 

> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
> boun...@lists.adiscon.com] On Behalf Of Nathan Stratton Treadway
> Sent: Mittwoch, 20. März 2013 14:44
> To: rsyslog-users
> Subject: Re: [rsyslog] libestr 0.1.5 released -- v7-devel Ubuntu Precise repo
> not signed
> 
>  On Wed, Mar 20, 2013 at 10:14:43 +, Andre Lorbach wrote:
> > RPM and Ubuntu Packages for libestr have been update das well.
> 
> Looks like the Ubuntu Precise repo is still missing the Release.gpg file
> (causing "untrusted source" warnings when I attempt to install packages
> from it)
> 
>   Nathan
> 
> 
> Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
> Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
>  GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID:
> 1023D/ECFB6239
>  Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] libestr 0.1.5 released -- v7-devel Ubuntu Precise repo not signed

2013-03-20 Thread Nathan Stratton Treadway 
 On Wed, Mar 20, 2013 at 10:14:43 +, Andre Lorbach wrote:
> RPM and Ubuntu Packages for libestr have been update das well. 

Looks like the Ubuntu Precise repo is still missing the Release.gpg file
(causing "untrusted source" warnings when I attempt to install packages
from it)

Nathan 


Nathan Stratton Treadway  -  natha...@ontko.com  -  Mid-Atlantic region
Ray Ontko & Co.  -  Software consulting services  -   http://www.ontko.com/
 GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt   ID: 1023D/ECFB6239
 Key fingerprint = 6AD8 485E 20B9 5C71 231C  0C32 15F3 ADCD ECFB 6239
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] MongoDB PHP Driver Extensions is not installed

2013-03-20 Thread Chris Roberts 
Andre,

Thanks again for your help. It looks like I edited the php.ini under
/etc/php5/cli/php.ini instead of the one in the path you specified. I added
extension=mongo.so under the Dynamic Extensions section of the file, saved
it, then restarted apache2 and it works!


Chris

On Wed, Mar 20, 2013 at 6:04 AM, Andre Lorbach wrote:

> Perhaps you got the wrong php.ini? There is one for apache only usually
> located at /etc/php5/apache2/php.ini
>
> Best regards,
> Andre Lorbach
>
> > -Original Message-
> > From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
> > boun...@lists.adiscon.com] On Behalf Of Chris Roberts
> > Sent: Dienstag, 19. März 2013 15:36
> > To: rsyslog@lists.adiscon.com
> > Subject: [rsyslog] MongoDB PHP Driver Extensions is not installed
> >
> > Hello,
> >
> > I have finished the configuration of my syslog server, but after going
> through
> > the loganalyzer setup, I receive the message:
> >
> > Error, MongoDB PHP Driver Extensions is not installed! Please see
> *website*
> >
> > I did perform (sudo pecl install mongo) and added extension=mongo.so
> > under the Dynamic Extensions in the file php.ini, but I'm still
> receiving the
> > message.
> >
> >
> > Is there a step that I'm missing?
> >
> >
> >
> > --
> > Chris Roberts
> > IT Professional
> > Budd Baer, Inc
> > 71 Murtland Ave
> > Washington, PA 15301
> > Phone: 724-222-0700 Ext: 6601
> > Fax: 724-914-6633
> > 
> >
> > This message and any attachments are intended only for the use of the
> > addressee and may contain information that is privileged and
> confidential. If
> > the reader of the message is not the intended recipient or an authorized
> > representative of the intended recipient, you are hereby notified that
> any
> > dissemination of this communication is strictly prohibited. If you have
> > received this communication in error, please notify us immediately by
> e-mail
> > and delete the message and any attachments from your system.
> >
> > Think before you print. Please consider the environment before printing
> this
> > e-mail ___
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond
> > our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>



-- 
Chris Roberts
IT Professional
Budd Baer, Inc
71 Murtland Ave
Washington, PA 15301
Phone: 724-222-0700 Ext: 6601
Fax: 724-914-6633


This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, please notify us immediately by e-mail and delete the message and any 
attachments from your system.

Think before you print. Please consider the environment before printing this 
e-mail

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] How to get the app name (when it includes slashes) ?

2013-03-20 Thread Philippe Muller 
On Wed, Mar 20, 2013 at 10:44 AM, Rainer Gerhards
wrote:

> On Tue, 2013-03-19 at 19:37 +0100, Philippe Muller wrote:
> > Hi,
> >
> > I try to get a coherent names for programs who send messages to rsyslog.
> > For most messages, $app-name or $programname do the job (I get $syslogtag
> > without the trailing "[pid]:").
> >
> > However, $app-name/$programname does not play well with some system
> > defaults.
> > For example, on RHEL6 servers, the cron "run-parts" script use
> parenthesis
> > and slashes in the tag.
> >
> > Using RSYSLOG_DebugFormat, here is what we get :
> > Debug line with all properties:
> > FROMHOST: 'client1', fromhost-ip: '42.0.0.1', HOSTNAME: 'client1', PRI:
> 77,
> > syslogtag 'run-parts(/etc/cron.hourly)[22434]:', programname:
> 'run-parts(',
> > APP-NAME: 'run-parts(', PROCID: '22434', MSGID: '-',
> > TIMESTAMP: 'Mar 19 17:01:01', STRUCTURED-DATA: '-',
> > msg: ' starting 0anacron'
> > escaped msg: ' starting 0anacron'
> > inputname: imuxsock rawmsg: '<77>Mar 19 17:01:01
> > run-parts(/etc/cron.hourly)[22434]: starting 0anacron'
> >
> > While both parenthesis and slashes are "forbidden" by RFC3164, one is
> > accepted and the other isn't.
> > Is there a motivation to allow one and not the other ?
> I just provided a longer answer to a similar question yesterday, you may
> want to check the archives. But the short answer is: heuristics based on
> what usually works in practice.
>

I read the thread. I'll try to read the code to get a better understanding
of the implementation.


>  >
> > Here is my current workaround :
> > if $app-name == "run-parts(" then {
> > set $!app = field($syslogtag, 91, 1); # 91 = "["
> > } else {
> > set $!app = $app-name;
> > }
> >
> > It works, but it's ugly and I doubt it's performance-wise. ;-)
> >
> You could use field extraction directly inside the template. IMHO that
> should do the trick (but I did not try it out).
>
> Another option would probably be to add an rsyslog option to enable
> slashes inside program name (but I am not bold enough to simply add it
> without a config option, and make it "off" by default). I'll see if I
> can do this quickly as a side-activity.
>

Thanks. But there is no urgency for me. As I'll parse messages at the
source rather at the collector, I don't worry about the performance impact.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] libestr 0.1.5 released

2013-03-20 Thread Andre Lorbach 
RPM and Ubuntu Packages for libestr have been update das well. 

Best regards,
Andre Lorbach

> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
> boun...@lists.adiscon.com] On Behalf Of Florian Riedl
> Sent: Dienstag, 19. März 2013 17:26
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] libestr 0.1.5 released
> 
> Hi all,
> 
> we have just released a new version of libestr. The changes inherit a critical
> bugfix that also affects rsyslog. Please find more details on this issue on 
> the
> bugtracker: http://bugzilla.adiscon.com/show_bug.cgi?id=424
> 
> Download: http://libestr.adiscon.com/download/libestr-0-1-5-2/
> 
> Best regards,
> 
> Florian Riedl
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] MongoDB PHP Driver Extensions is not installed

2013-03-20 Thread Andre Lorbach 
Perhaps you got the wrong php.ini? There is one for apache only usually located 
at /etc/php5/apache2/php.ini

Best regards,
Andre Lorbach

> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
> boun...@lists.adiscon.com] On Behalf Of Chris Roberts
> Sent: Dienstag, 19. März 2013 15:36
> To: rsyslog@lists.adiscon.com
> Subject: [rsyslog] MongoDB PHP Driver Extensions is not installed
> 
> Hello,
> 
> I have finished the configuration of my syslog server, but after going through
> the loganalyzer setup, I receive the message:
> 
> Error, MongoDB PHP Driver Extensions is not installed! Please see *website*
> 
> I did perform (sudo pecl install mongo) and added extension=mongo.so
> under the Dynamic Extensions in the file php.ini, but I'm still receiving the
> message.
> 
> 
> Is there a step that I'm missing?
> 
> 
> 
> --
> Chris Roberts
> IT Professional
> Budd Baer, Inc
> 71 Murtland Ave
> Washington, PA 15301
> Phone: 724-222-0700 Ext: 6601
> Fax: 724-914-6633
> 
> 
> This message and any attachments are intended only for the use of the
> addressee and may contain information that is privileged and confidential. If
> the reader of the message is not the intended recipient or an authorized
> representative of the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by e-mail
> and delete the message and any attachments from your system.
> 
> Think before you print. Please consider the environment before printing this
> e-mail ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] How to get the app name (when it includes slashes) ?

2013-03-20 Thread Rainer Gerhards 
On Tue, 2013-03-19 at 19:37 +0100, Philippe Muller wrote:
> Hi,
> 
> I try to get a coherent names for programs who send messages to rsyslog.
> For most messages, $app-name or $programname do the job (I get $syslogtag
> without the trailing "[pid]:").
> 
> However, $app-name/$programname does not play well with some system
> defaults.
> For example, on RHEL6 servers, the cron "run-parts" script use parenthesis
> and slashes in the tag.
> 
> Using RSYSLOG_DebugFormat, here is what we get :
> Debug line with all properties:
> FROMHOST: 'client1', fromhost-ip: '42.0.0.1', HOSTNAME: 'client1', PRI: 77,
> syslogtag 'run-parts(/etc/cron.hourly)[22434]:', programname: 'run-parts(',
> APP-NAME: 'run-parts(', PROCID: '22434', MSGID: '-',
> TIMESTAMP: 'Mar 19 17:01:01', STRUCTURED-DATA: '-',
> msg: ' starting 0anacron'
> escaped msg: ' starting 0anacron'
> inputname: imuxsock rawmsg: '<77>Mar 19 17:01:01
> run-parts(/etc/cron.hourly)[22434]: starting 0anacron'
> 
> While both parenthesis and slashes are "forbidden" by RFC3164, one is
> accepted and the other isn't.
> Is there a motivation to allow one and not the other ?
I just provided a longer answer to a similar question yesterday, you may
want to check the archives. But the short answer is: heuristics based on
what usually works in practice.

> 
> Here is my current workaround :
> if $app-name == "run-parts(" then {
> set $!app = field($syslogtag, 91, 1); # 91 = "["
> } else {
> set $!app = $app-name;
> }
> 
> It works, but it's ugly and I doubt it's performance-wise. ;-)
> 
You could use field extraction directly inside the template. IMHO that
should do the trick (but I did not try it out).

Another option would probably be to add an rsyslog option to enable
slashes inside program name (but I am not bold enough to simply add it
without a config option, and make it "off" by default). I'll see if I
can do this quickly as a side-activity.

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog 7.3.8 (v7-devel) released

2013-03-20 Thread Rainer Gerhards 
> -Original Message-
> From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
> boun...@lists.adiscon.com] On Behalf Of Michael Biebl
> Sent: Tuesday, March 19, 2013 5:32 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] rsyslog 7.3.8 (v7-devel) released
> 
> 2013/3/19 Rainer Gerhards :
> > should be fixed by this:
> > http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=aef0be0c1799fbb20
> > 955fc1dc014cb9c9772af88
> 
> Still fails:
> https://buildd.debian.org/status/package.php?p=rsyslog&suite=experiment
> al

Seems I overlooked one place. This hopefully finally fixes it:

http://git.adiscon.com/?p=rsyslog.git;a=commitdiff;h=7784b65d8709fba647a7beeb934c18b7cb8cb6f1

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.