[rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread mostolog--- via rsyslog 

Hi

We have found several issues with our relp-file-elastic relay config. 
Hope you can help us.


   template(name="json" type="string" string="%$!data%\n")

   ruleset(name="to-index"){
set $!data=$msg;
set $!data!dummy_host=$hostname;
set $!data!foo="foo";
action(type="omfile" template="json"...)
   }

Doesn't seem to add myhost/foo to file:

   { "app": "app1", "file": "\/logs\/apps\/app.log", "group":
   "mygroup", "msg": "redacted" }

Also adding "set $!data!myhost=$myhostname;" to the config above, shows 
the following error message:


   ...
   Shifting token VAR ()
   Entering state 42
   Reducing stack by rule 69 (line 222):
   $1 = token VAR ()
   4886.851403365:main thread: PROP_INVALID for name 'myhostname'
   4886.851406264:main thread: Called LogMsg, msg: error during
   parsing file /etc/rsyslog.conf, on or before line 33: invalid
   property 'myhostname'
   4886.851435156:main thread: rsyslog/glbl: using '127.0.0.1' as
   localhost IP
   rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
   line 33: invalid property 'myhostname' [v8.23.0 try
   http://www.rsyslog.com/e/2207 ]
   -> $$ = nterm expr ()
   ...

Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread Pascal Withopf 
Hi,

the error message shows that the error is around line 33.

Could you send me the lines 30-35 of the rsyslog.conf file please.

Regards

2016-12-14 10:02 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:

> Hi
>
> We have found several issues with our relp-file-elastic relay config. Hope
> you can help us.
>
>template(name="json" type="string" string="%$!data%\n")
>
>ruleset(name="to-index"){
> set $!data=$msg;
> set $!data!dummy_host=$hostname;
> set $!data!foo="foo";
> action(type="omfile" template="json"...)
>}
>
> Doesn't seem to add myhost/foo to file:
>
>{ "app": "app1", "file": "\/logs\/apps\/app.log", "group":
>"mygroup", "msg": "redacted" }
>
> Also adding "set $!data!myhost=$myhostname;" to the config above, shows
> the following error message:
>
>...
>Shifting token VAR ()
>Entering state 42
>Reducing stack by rule 69 (line 222):
>$1 = token VAR ()
>4886.851403365:main thread: PROP_INVALID for name 'myhostname'
>4886.851406264:main thread: Called LogMsg, msg: error during
>parsing file /etc/rsyslog.conf, on or before line 33: invalid
>property 'myhostname'
>4886.851435156:main thread: rsyslog/glbl: using '127.0.0.1' as
>localhost IP
>rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>line 33: invalid property 'myhostname' [v8.23.0 try
>http://www.rsyslog.com/e/2207 ]
>-> $$ = nterm expr ()
>...
>
> Regards
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread mostolog--- via rsyslog 

line 33: set $!data!myhost=$myhostname;


El 14/12/16 a las 10:33, Pascal Withopf escribió:

Hi,

the error message shows that the error is around line 33.

Could you send me the lines 30-35 of the rsyslog.conf file please.

Regards

2016-12-14 10:02 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:


Hi

We have found several issues with our relp-file-elastic relay config. Hope
you can help us.

template(name="json" type="string" string="%$!data%\n")

ruleset(name="to-index"){
 set $!data=$msg;
 set $!data!dummy_host=$hostname;
 set $!data!foo="foo";
 action(type="omfile" template="json"...)
}

Doesn't seem to add myhost/foo to file:

{ "app": "app1", "file": "\/logs\/apps\/app.log", "group":
"mygroup", "msg": "redacted" }

Also adding "set $!data!myhost=$myhostname;" to the config above, shows
the following error message:

...
Shifting token VAR ()
Entering state 42
Reducing stack by rule 69 (line 222):
$1 = token VAR ()
4886.851403365:main thread: PROP_INVALID for name 'myhostname'
4886.851406264:main thread: Called LogMsg, msg: error during
parsing file /etc/rsyslog.conf, on or before line 33: invalid
property 'myhostname'
4886.851435156:main thread: rsyslog/glbl: using '127.0.0.1' as
localhost IP
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
line 33: invalid property 'myhostname' [v8.23.0 try
http://www.rsyslog.com/e/2207 ]
-> $$ = nterm expr ()
...

Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] global queue configuration?

2016-12-14 Thread mostolog--- via rsyslog 

Hi

Queue documentation improvements are on my TODO list for next year. 
Until then, we'll have to ask here in order to properly know how they work.


Would a configuration like:

   global(
queue.filename="rsyslog.qi"
queue.maxdiskspace="1G"
queue.SaveOnShutdown="on"
queue.type="Disk"
   )

make any input, action, ruleset...everything to be disk-supported so 
100% reliable? (0 messages lost, although slow)


Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] liblognorm vs grok

2016-12-14 Thread mostolog--- via rsyslog 

El 07/12/16 a las 21:00, Rainer Gerhards escribió:



I'm getting /invalid field type 'alternative'/ when using it. Any ideas?

   rule=test:%[
   {"type":"alternative","parser":[
   {"type":"literal","text":"-"},
   {"type":"word","name":"identd"}
]}
   ]%

no idea
Did you Set Version=2 in the First line?

Yes.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread Pascal Withopf 
the line on its own can't function because you first need to declare and
set myhostname as a variable.
Could you give me the whole rsyslog.conf file, so I can see the context

2016-12-14 10:34 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:

> line 33: set $!data!myhost=$myhostname;
>
>
> El 14/12/16 a las 10:33, Pascal Withopf escribió:
>
> Hi,
>>
>> the error message shows that the error is around line 33.
>>
>> Could you send me the lines 30-35 of the rsyslog.conf file please.
>>
>> Regards
>>
>> 2016-12-14 10:02 GMT+01:00 mostolog--- via rsyslog <
>> rsyslog@lists.adiscon.com>:
>>
>> Hi
>>>
>>> We have found several issues with our relp-file-elastic relay config.
>>> Hope
>>> you can help us.
>>>
>>> template(name="json" type="string" string="%$!data%\n")
>>>
>>> ruleset(name="to-index"){
>>>  set $!data=$msg;
>>>  set $!data!dummy_host=$hostname;
>>>  set $!data!foo="foo";
>>>  action(type="omfile" template="json"...)
>>> }
>>>
>>> Doesn't seem to add myhost/foo to file:
>>>
>>> { "app": "app1", "file": "\/logs\/apps\/app.log", "group":
>>> "mygroup", "msg": "redacted" }
>>>
>>> Also adding "set $!data!myhost=$myhostname;" to the config above, shows
>>> the following error message:
>>>
>>> ...
>>> Shifting token VAR ()
>>> Entering state 42
>>> Reducing stack by rule 69 (line 222):
>>> $1 = token VAR ()
>>> 4886.851403365:main thread: PROP_INVALID for name 'myhostname'
>>> 4886.851406264:main thread: Called LogMsg, msg: error during
>>> parsing file /etc/rsyslog.conf, on or before line 33: invalid
>>> property 'myhostname'
>>> 4886.851435156:main thread: rsyslog/glbl: using '127.0.0.1' as
>>> localhost IP
>>> rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
>>> line 33: invalid property 'myhostname' [v8.23.0 try
>>> http://www.rsyslog.com/e/2207 ]
>>> -> $$ = nterm expr ()
>>> ...
>>>
>>> Regards
>>>
>>> ___
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread Pascal Withopf 
Hi,

the parameters you listed are all viable.

But listing them in global() would have no effect. You need to specify them
in an action(), ruleset() or main-queue() so they are used there.

Disk queues always use the disk and do not buffer anything in memory, which
means they are ultra-reliable, but slow.
For the best result you should put the queue in front of a reliable
transport action such as relp.

Regards

2016-12-14 10:42 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:

> Hi
>
> Queue documentation improvements are on my TODO list for next year. Until
> then, we'll have to ask here in order to properly know how they work.
>
> Would a configuration like:
>
>global(
> queue.filename="rsyslog.qi"
> queue.maxdiskspace="1G"
> queue.SaveOnShutdown="on"
> queue.type="Disk"
>)
>
> make any input, action, ruleset...everything to be disk-supported so 100%
> reliable? (0 messages lost, although slow)
>
> Regards
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread mostolog--- via rsyslog 

I was trying to use myhostname system variable.

http://www.rsyslog.com/doc/master/configuration/properties.html#system-properties

Although I guess if no parser matched, perhaps that field is not set.

Once I'm done reviewing "overview.rst" comments, I'll try to paste the 
config ;)



El 14/12/16 a las 10:53, Pascal Withopf escribió:

the line on its own can't function because you first need to declare and
set myhostname as a variable.
Could you give me the whole rsyslog.conf file, so I can see the context

2016-12-14 10:34 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:


line 33: set $!data!myhost=$myhostname;


El 14/12/16 a las 10:33, Pascal Withopf escribió:

Hi,

the error message shows that the error is around line 33.

Could you send me the lines 30-35 of the rsyslog.conf file please.

Regards

2016-12-14 10:02 GMT+01:00 mostolog--- via rsyslog <
rsyslog@lists.adiscon.com>:

Hi

We have found several issues with our relp-file-elastic relay config.
Hope
you can help us.

 template(name="json" type="string" string="%$!data%\n")

 ruleset(name="to-index"){
  set $!data=$msg;
  set $!data!dummy_host=$hostname;
  set $!data!foo="foo";
  action(type="omfile" template="json"...)
 }

Doesn't seem to add myhost/foo to file:

 { "app": "app1", "file": "\/logs\/apps\/app.log", "group":
 "mygroup", "msg": "redacted" }

Also adding "set $!data!myhost=$myhostname;" to the config above, shows
the following error message:

 ...
 Shifting token VAR ()
 Entering state 42
 Reducing stack by rule 69 (line 222):
 $1 = token VAR ()
 4886.851403365:main thread: PROP_INVALID for name 'myhostname'
 4886.851406264:main thread: Called LogMsg, msg: error during
 parsing file /etc/rsyslog.conf, on or before line 33: invalid
 property 'myhostname'
 4886.851435156:main thread: rsyslog/glbl: using '127.0.0.1' as
 localhost IP
 rsyslogd: error during parsing file /etc/rsyslog.conf, on or before
 line 33: invalid property 'myhostname' [v8.23.0 try
 http://www.rsyslog.com/e/2207 ]
 -> $$ = nterm expr ()
 ...

Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

___

rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread mostolog--- via rsyslog 



the parameters you listed are all viable.

But listing them in global() would have no effect. You need to specify them
in an action(), ruleset() or main-queue() so they are used there.

Disk queues always use the disk and do not buffer anything in memory, which
means they are ultra-reliable, but slow.
For the best result you should put the queue in front of a reliable
transport action such as relp.

we are using RELP.
according to some comments in 
https://github.com/rsyslog/rsyslog-doc/pull/281, seems rulesets should 
have a queue to avoid "creating a temporary queue"


as we are looking for 0% loss...

1. imrelp -> ruleset+main_queue(disk) is there any chance a message
   being lost between RELP reception and queueing?
2. ruleset+main_queue(disk) -> mmjsonparse -> mmnormalize -> omfile is
   there any chance a message being lost anywhere?
3. imfile -> omelasticsearch is there any change a message being lost?

PS: using RELP, when there are connection issues we noticed some 
problems, bottlenecks and so. hence, we decided to use a file between 
RELP and elastic



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread mostolog--- via rsyslog 
Trying to keep the discussion alive and separated from quite 
long-long-long github issue


IMHO it's better to have embedded graphs in doc, rather than separate 
images files, cause it will ease doc maintenance.


Said so, I agree with you using a third-party web provider is not a 
valid choice.


Do we agree on this "dot within rst" approach?


Any help on embedding dot into rst within github would be much 
appreciated. Radu?



El 11/12/16 a las 14:41, David Lang escribió:

On Sun, 11 Dec 2016, Rainer Gerhards wrote:


Hi all,

please have a look at how the graphs are generated in this PR:

https://github.com/rsyslog/rsyslog-doc/pull/281

My gut feeling is that we should not use this method, because IMHO it
is unmaintainable. However, I would like to get feedback from others.
Feel free to comment directly to the github issue tracker.


Going to the Internet is not the right thing to do.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread mostolog--- via rsyslog 

Here you go. This is what we have so far.

   global(
MaxMessageSize="32k"
workDirectory="/data"
parser.escapeControlCharactersOnReceive="off"
   )

   module(load="imrelp")
   input(
port="20514"
type="imrelp"
name="imrelp"
ruleset="json"
   )

   module(load="builtin:omfile")
   ruleset(name="error"){
action(
type="omfile"
file="/data/rsyslog-errors.log"
)
   }
   ruleset(name="unknown"){
action(
type="omfile"
file="/data/rsyslog-unknown.log"
)
   }

   template(name="ts" type="string" string="%timestamp:::date-rfc3339%")
   ruleset(name="to-index"){
set $!data=$msg;
set $!data!host_forwarded=$hostname;
set $!data!time_processed=exec_template("ts");
#FIXME This line fails. isn't myhostname set?
#set $!data!host_received=$myhostname;
action(
action.reportSuspension="on"
action.resumeRetryCount="-1"
type="omfile"
file="/data/to-index.log"
template="json"
)
   }

   module(load="mmjsonparse")
   module(load="mmnormalize")
   ruleset(name="json"){
#FIXME seems ruleset workers need a queue or they create a temp
   queue (performance impact)
# considering this pipeline: relp->file->elastic, what should
   be the best approach?
queue.filename="relp.qi"
queue.maxdiskspace="1G"
queue.SaveOnShutdown="on"
queue.type="Disk"

action(
cookie=""
type="mmjsonparse"
)
if $parsesuccess == "FAIL" then {
call error
stop
}
# start script combines /etc/rsyslog.d/apps/*.rb into
   /etc/rsyslog.rb
#   rule=app1:app1 whatever1
#   rule=app2:app2 whatever2
# Due to how liblognorm works, seems to be much faster than
#   each app.conf file like:
#   else if $!app == "popimap" then {
#   # Here's an example on when to use inline rules
#   # https://github.com/rsyslog/rsyslog/issues/625
#   # Inline rules would make it possible to have
#   # just 1 config file per app, instead of 2
#   action(
#   #rule="<%pri%>%time_received:date% %hostname%
   %tag% %msg%"
#   rulebase="/etc/rsyslog.d/apps/app1.rb"
#   type="mmnormalize"
#   )
#   if $!user != "" then {
#   #FIXME now also fails (not set?)
#   set $!data!index="myindex-" & $now;
#   set
   $!data!type="this_msg_type_is_known_by_this_app";
#   call to-index
#   } else {
#   call error
#   }
#   }
   #TODO set $.line= app & " " & msg;?
action(
type="mmnormalize"
variable="$!msg"
rulebase="/etc/rsyslog.d/rsyslog.rb"
)
if $!user == "" then {
call unknown
stop
}
# Each app.conf defines/calls their own pipeline steps
#   at the end: call to-index
$IncludeConfig /etc/rsyslog.d/apps/*.conf
   }

   module(load="imfile")
   input(type="imfile"
file="/data/to-index.log"
tag="rsyslog"
ruleset="elastic"
   )
   template(name="json" type="string" string="%$!data%\n")
   template(name="index" type="string" string="$!data!index")
   template(name="type" type="string" string="$!data!type")
   module(load="omelasticsearch")
   ruleset(name="elastic"){
set $!data=$rawmsg;
set $!data!@timestamp=exec_template("ts");
action(
action.resumeRetryCount="-1"
type="omelasticsearch"
server="server"
serverport="9200"
searchIndex="index"
dynSearchIndex="on"
searchType="type"
dynSearchType="on"
template="json"
)
   }


Regards

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, Pascal Withopf wrote:



the parameters you listed are all viable.


but also not sufficient


Disk queues always use the disk and do not buffer anything in memory, which
means they are ultra-reliable, but slow.


you also need to turn checkpointing on, and a checkpoint interval of 1 message 
(and a few other things, it's been a few years since I did this)



For the best result you should put the queue in front of a reliable
transport action such as relp.


this will slow rsyslog down by a factor of >1000x. I ran tests on this using a 
very high end PCI based SSD and had a 2000x - 8000x slowdown, and this was with 
v5, the added improvements in performance since wukk cause an even bigger 
slowdown as they would reduce the amount of time rsyslog spends processing the 
message outside of the queue manipulation, I would expect >10,000x nowdays.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Easy way to parse key/value logs ?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, Benoit DOLEZ wrote:

I have logs from fortigate with many variantes of 20 to 40 
key[=("value"|value|)] fields separated with spaces .


It seems "iptables" is the only (old) rsyslog normalizer to parse kv strings 
and, probably, it don't parse quoting values like "lognorm/string" do it.


Is there a simple method to build a $! tree from key/value string like 
mmparsejson do it for json ?


if the iptables type doesn't work for your logs in the mmnormalize ruleset, then 
no, there currently isn't a good way.


If none, I can make it. I think it's better to write a message modification 
module than a new lognorm format. Do you agree ?


No, a new type in mmnormalize can be used for a lot more things than a dedicated 
mm* module.


a dedicated mm* module will require that the entire log message be the 
name-value set while a new type in liblognorm will handle that case, but also 
handle cases where there is just one name-value pair inside a larger message.


note that liblognorm already has repeat, so it can handle a lot of instances of 
a given type, it just needs to learn how to handle a single name-value pair. The 
code to do this is mostly already there in liblognorm, it's got two issues:


1. it's not general purpose enough (no ability to specify the syntax separators)

2. it's not exposed as a user-visible type, it's just used as a subroutine for 
other types.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:


I was trying to use myhostname system variable.


you have to do $$myhostname, not just $myhostname.

unfortunantly, these property names were defined a long time ago, before 
rainerscript was created, so you used todo things like:


:msg, startswith, "foo", /var/log/bar

:$myhostname, startswith, "baz", /var/log/boo

and it worked well

but when you then do

set $!data!myhost=$msg;

then using $myhostname becomes

set $!data!myhost=$$myhostname;

but changing the property names to eliminate the $$ that shows up frequently 
would break old configs...


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:

We have found several issues with our relp-file-elastic relay config. Hope 
you can help us.


  template(name="json" type="string" string="%$!data%\n")

  ruleset(name="to-index"){
   set $!data=$msg;
   set $!data!dummy_host=$hostname;
   set $!data!foo="foo";
   action(type="omfile" template="json"...)
  }

Doesn't seem to add myhost/foo to file:

  { "app": "app1", "file": "\/logs\/apps\/app.log", "group":
  "mygroup", "msg": "redacted" }


you are getting confused over the difference between a string that looks like 
json and an actual json structure.


If you output things using RSYSLOG_DebugFormat I think you would see the issue.

you set $!data = the message string, which is '{ "app": "app1", "file": 
"\/logs\/apps\/app.log", "group": "mygroup", "msg": "redacted" }'


and then you try to add items to the $!data structure, but it's not a structure, 
it's a string.


you would need to parse the $msg and turn it into a structure (mmjsonparse or 
mmnormalize)


If you were to create the ruleset

version=2
rule=:%.:json%
rule=: %.:json%
# this covers both having and not having a leading space in $msg)

then do
action(type="mmnormalize" path="data")

this would populate $!data with the structure parsed out of $msg.

mmjsonparse puts the parsed data at $! (not configurable), and there are 
currently bugs in using $! in a set statement, so you would need to change your 
config to work with $! isntead of $!data is you use mmjsonparse to parse the 
message.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, David Lang wrote:

this will slow rsyslog down by a factor of >1000x. I ran tests on this using 
a very high end PCI based SSD and had a 2000x - 8000x slowdown, and this was 
with v5, the added improvements in performance since wukk cause an even 
bigger slowdown as they would reduce the amount of time rsyslog spends 
processing the message outside of the queue manipulation, I would expect 
the slowdown to be significantly above 10,000x nowdays.


you also have to set batch size = 1

The problem is that in a crash you can't count on anything in memory making it 
to disk, so you have to write each message to disk, do a fsync on the data, 
possibly do a fsync on the directory [1], and only then respond with the ack


doing anything else exposes you to a window where the message could be lost.

But the performance of filesystems is such that doing a fsync for every write to 
the disk is crippling, even with SSDs [2]. You also need to make sure that the 
SSDs don't buffer the write at all (many do), and that you are writing to a RAID 
set (so that the failure of s single SSD doesn't loose the data), which then 
means you need to make sure your RAID controller either doesn't do any 
buffering, or has a battery backed cache.


If you are willing to loose messages in the case of a complete system 
crash/power outage/hardware failure, then things get much simpler, you don't 
need to use a disk type queue, just use a disk assisted queue (type FixedArray 
or LinkedList with a filename) and saveonshutdown and you get very good 
performance (except for the known performace issues with retrieving data from 
a disk queue)




You really need to think hard about what messages you Absolutly Must Not Loose 
under any conditions. I expect that you will find that there are actually very 
few logs that have this requirement, and they probably all come from a custom 
application. In this case you are probably better off having the application 
write the logs directly to an ACID compliant database (which is slow) rather 
than feeding the logs to rsyslog.


If you do need to feed the logs to rsyslog, then you want to have a separate 
instance of rsyslog (or at the very least a separate input/ruleset/queue) for 
these super critical messages as opposed to all the other messages that you are 
going to process.


David Lang


[1] it's actually even worse than this with filesystems newer than ext2

you write the data to the file and do a fsync on the data.
if this changes the size of the file in disk blocks, you then need to do a fsync 
on the directory the file is in so that the size change is written
each of these writes are written to the filesystem journal as a temporary thing, 
and then the filesystem needs to write a copy of the data to the final location 
and (once it knows the data is safe there, possibly involving another fsync for 
both the data and metadata), do another write to the journal to know that the 
data was safely saved in the final location


so processing one log message can require 6 writes, all of which can require a 
fsync


[2] without SSDs you are limited to of a write requireing the disk to rotate once, and since you aren't infinantly 
fast, you end up a fair bit below that.


ext3 had a bug where a fsync required writing all pending data to the disk, 
including data that was written after the fsync started. People documented a 
single fsync taking >30 seconds.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] mmnormalize documentation question

2016-12-14 Thread David Lang 

in the documentation, it says:

Note that mmnormalize should only be called once on each message. Behaviour is 
undefined if multiple calls to mmnormalize happen for the same message.



why would this be the case? Is this actually the case?

There are a cases where it makes sense to call mmnormalize more than once with 
different rulesets/parameters


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread mostolog--- via rsyslog 



On Wed, 14 Dec 2016, David Lang wrote:

this will slow rsyslog down by a factor of >1000x. I ran tests on 
this using a very high end PCI based SSD and had a 2000x - 8000x 
slowdown, and this was with v5, the added improvements in performance 
since wukk cause an even bigger slowdown as they would reduce the 
amount of time rsyslog spends processing the message outside of the 
queue manipulation, I would expect the slowdown to be significantly 
above 10,000x nowdays.

you also have to set batch size = 1

The problem is that in a crash you can't count on anything in memory 
making it to disk, so you have to write each message to disk, do a 
fsync on the data, possibly do a fsync on the directory [1], and only 
then respond with the ack


doing anything else exposes you to a window where the message could be 
lost.


But the performance of filesystems is such that doing a fsync for 
every write to the disk is crippling, even with SSDs [2]. You also 
need to make sure that the SSDs don't buffer the write at all (many 
do), and that you are writing to a RAID set (so that the failure of s 
single SSD doesn't loose the data), which then means you need to make 
sure your RAID controller either doesn't do any buffering, or has a 
battery backed cache.


If you are willing to loose messages in the case of a complete system 
crash/power outage/hardware failure, then things get much simpler, you 
don't need to use a disk type queue, just use a disk assisted queue 
(type FixedArray or LinkedList with a filename) and saveonshutdown and 
you get very good performance (except for the known performace issues 
with retrieving data from a disk queue)

LinkedList and saveonshutdown will be.

About the "creating temporary queues" if ruleset doesn't have a queue 
defined, I'll wait rgerhards for a deep explanation, full of examples, 
colors and music all around.


would imrelp->file->mmjson+mmnorm->elastic be a better approach?


[1] it's actually even worse than this with filesystems newer than ext2

you write the data to the file and do a fsync on the data.
if this changes the size of the file in disk blocks, you then need to 
do a fsync on the directory the file is in so that the size change is 
written
each of these writes are written to the filesystem journal as a 
temporary thing, and then the filesystem needs to write a copy of the 
data to the final location and (once it knows the data is safe there, 
possibly involving another fsync for both the data and metadata), do 
another write to the journal to know that the data was safely saved in 
the final location


so processing one log message can require 6 writes, all of which can 
require a fsync


[2] without SSDs you are limited to simple physics of a write requireing the disk to rotate once, and 
since you aren't infinantly fast, you end up a fair bit below that.


ext3 had a bug where a fsync required writing all pending data to the 
disk, including data that was written after the fsync started. People 
documented a single fsync taking >30 seconds.
These are enough reasons to definitively totally absolutely use fsync as 
much as we can

:P

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread mostolog--- via rsyslog 



   set $!data=$msg;
you are getting confused over the difference between a string that 
looks like json and an actual json structure.

Sorry, I was.


action(type="mmnormalize" path="data")

this would populate $!data with the structure parsed out of $msg.

mmjsonparse puts the parsed data at $! (not configurable), and there 
are currently bugs in using $! in a set statement, so you would need 
to change your config to work with $! instead of $!data if you use 
mmjsonparse to parse the message.

Actually using set $!foo="foo"; solved the issue.

May I know what bugs could cause problems if we do:

   action(type="mmjsonparse"...)
   set $!foo="bar";


Another questions:

When using RELP, we have noticed errors could be propagated to origin. 
If queue is full and not discarding any messages, it may cause troubles 
on origin rsyslog. According to some list comments, using an 
intermediate file could solve the issue. So:


   imrelp->mmjson+mmnormalize+changes->imfile->omelasticsearch


We are using mmjson upon reception, and because elastic is expecting 
json, we are ALSO using mmjson after imfile read.


Is there any way to prevent this redundancy?(AKA: parsing to json twice)

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread Rainer Gerhards 
2016-12-14 15:07 GMT+01:00 mostolog--- via rsyslog :
>
>> On Wed, 14 Dec 2016, David Lang wrote:
>>
>>> this will slow rsyslog down by a factor of >1000x. I ran tests on this
>>> using a very high end PCI based SSD and had a 2000x - 8000x slowdown, and
>>> this was with v5, the added improvements in performance since wukk cause an
>>> even bigger slowdown as they would reduce the amount of time rsyslog spends
>>> processing the message outside of the queue manipulation, I would expect the
>>> slowdown to be significantly above 10,000x nowdays.
>>
>> you also have to set batch size = 1
>>
>> The problem is that in a crash you can't count on anything in memory
>> making it to disk, so you have to write each message to disk, do a fsync on
>> the data, possibly do a fsync on the directory [1], and only then respond
>> with the ack
>>
>> doing anything else exposes you to a window where the message could be
>> lost.
>>
>> But the performance of filesystems is such that doing a fsync for every
>> write to the disk is crippling, even with SSDs [2]. You also need to make
>> sure that the SSDs don't buffer the write at all (many do), and that you are
>> writing to a RAID set (so that the failure of s single SSD doesn't loose the
>> data), which then means you need to make sure your RAID controller either
>> doesn't do any buffering, or has a battery backed cache.
>>
>> If you are willing to loose messages in the case of a complete system
>> crash/power outage/hardware failure, then things get much simpler, you don't
>> need to use a disk type queue, just use a disk assisted queue (type
>> FixedArray or LinkedList with a filename) and saveonshutdown and you get
>> very good performance (except for the known performace issues with
>> retrieving data from a disk queue)
>
> LinkedList and saveonshutdown will be.
>
> About the "creating temporary queues" if ruleset doesn't have a queue
> defined, I'll wait rgerhards for a deep explanation, full of examples,
> colors and music all around.

I don't understand "temporary queues", but I must also admit that I
cannot dig deeper into the ultra-reliable case this year. There is
ample of existing conversation on the web, especially the mailingl
list archive.

>
> would imrelp->file->mmjson+mmnorm->elastic be a better approach?
>
>> [1] it's actually even worse than this with filesystems newer than ext2
>>
>> you write the data to the file and do a fsync on the data.
>> if this changes the size of the file in disk blocks, you then need to do a
>> fsync on the directory the file is in so that the size change is written
>> each of these writes are written to the filesystem journal as a temporary
>> thing, and then the filesystem needs to write a copy of the data to the
>> final location and (once it knows the data is safe there, possibly involving
>> another fsync for both the data and metadata), do another write to the
>> journal to know that the data was safely saved in the final location
>>
>> so processing one log message can require 6 writes, all of which can
>> require a fsync
>>
>> [2] without SSDs you are limited to > physics of a write requireing the disk to rotate once, and since you aren't
>> infinantly fast, you end up a fair bit below that.
>>
>> ext3 had a bug where a fsync required writing all pending data to the
>> disk, including data that was written after the fsync started. People
>> documented a single fsync taking >30 seconds.
>
> These are enough reasons to definitively totally absolutely use fsync as
> much as we can
> :P

It is safer to walk from Madrid to Barcelona than to drive a car, yet
most people accept the additional risk for the benefit involved ;-)

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] mmnormalize documentation question

2016-12-14 Thread Rainer Gerhards 
IIRC that was primarily added because otherwise the JSON gets mixed.
But maybe that is what you want...

Rainer

2016-12-14 15:05 GMT+01:00 David Lang :
> in the documentation, it says:
>
> Note that mmnormalize should only be called once on each message. Behaviour
> is undefined if multiple calls to mmnormalize happen for the same message.
>
>
> why would this be the case? Is this actually the case?
>
> There are a cases where it makes sense to call mmnormalize more than once
> with different rulesets/parameters
>
> David Lang
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread Rainer Gerhards 
2016-12-14 12:59 GMT+01:00 mostolog--- via rsyslog :
> Trying to keep the discussion alive and separated from quite long-long-long
> github issue
>
> IMHO it's better to have embedded graphs in doc, rather than separate images
> files, cause it will ease doc maintenance.
>
> Said so, I agree with you using a third-party web provider is not a valid
> choice.
>
> Do we agree on this "dot within rst" approach?
>
>
> Any help on embedding dot into rst within github would be much appreciated.

To solve this hopefully once and forever, I googled again for "sphinx
dot" and the first result seems to be fully appropriate:

http://www.sphinx-doc.org/en/1.4.8/ext/graphviz.html

As I said two weeks or so ago, we need to check if we have
sufficiently current sphinx on the involved systems, but the first
step is to read and use what is describe, to see if it actually fits
the need.

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread mostolog--- via rsyslog 



To solve this hopefully once and forever, I googled again for "sphinx
dot" and the first result seems to be fully appropriate:

http://www.sphinx-doc.org/en/1.4.8/ext/graphviz.html

As I said two weeks or so ago, we need to check if we have
sufficiently current sphinx on the involved systems, but the first
step is to read and use what is describe, to see if it actually fits
the need.
Yes, but my point is that doesn't properly render on github. I'll love 
to have documentation (with graphs) on github, but I'll have to stick to 
sphinx+rsyslog.com if that doesn't work. That's why I tried gravizzo (or 
whatever the name is)



___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread Rainer Gerhards 
2016-12-14 17:19 GMT+01:00 mosto...@gmail.com :
>
>> To solve this hopefully once and forever, I googled again for "sphinx
>> dot" and the first result seems to be fully appropriate:
>>
>> http://www.sphinx-doc.org/en/1.4.8/ext/graphviz.html
>>
>> As I said two weeks or so ago, we need to check if we have
>> sufficiently current sphinx on the involved systems, but the first
>> step is to read and use what is describe, to see if it actually fits
>> the need.
>
> Yes, but my point is that doesn't properly render on github. I'll love to
> have documentation (with graphs) on github, but I'll have to stick to
> sphinx+rsyslog.com if that doesn't work. That's why I tried gravizzo (or
> whatever the name is)

I don't see a point in duplicating the generated doc on github. It is
already on too many places, what sometimes causes confusion (some
places seem to not properly update or make master branch the default,
which obviously does not always work on the stable versions).

It might be possible host the generated doc with github pages, but I
neither know nor have any interest in finding out how this might be
done so that it works automatically. I have even lesser interest in
spending time to implement that even if I would know how to do it ;-)

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Back to work with relp -> mmjsonparse -> mmnormalize -> file -> elastic

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:


   set $!data=$msg;
you are getting confused over the difference between a string that looks 
like json and an actual json structure.

Sorry, I was.


action(type="mmnormalize" path="data")

this would populate $!data with the structure parsed out of $msg.

mmjsonparse puts the parsed data at $! (not configurable), and there are 
currently bugs in using $! in a set statement, so you would need to change 
your config to work with $! instead of $!data if you use mmjsonparse to 
parse the message.

Actually using set $!foo="foo"; solved the issue.


I suspect you needed to make more changes than that, so I don't know what your 
config looks like now...



May I know what bugs could cause problems if we do:

  action(type="mmjsonparse"...)
  set $!foo="bar";


none that I lknow of.


Another questions:

When using RELP, we have noticed errors could be propagated to origin. If 
queue is full and not discarding any messages, it may cause troubles on 
origin rsyslog.


yes, when a queue fills up and you have told rsyslog not to discard any 
messages, rsyslog is no longer able to accept any new messages. This means that 
things trying to delvier messages to rsyslog pause because they cannot get the 
confirmation that their message is accepted.


This is per design and what you would want to have happen

According to some list comments, using an intermediate file 
could solve the issue. So:


  imrelp->mmjson+mmnormalize+changes->imfile->omelasticsearch


a better way is to create a disk assisted queue rather than writing to a text 
file and then reading it in again.




We are using mmjson upon reception, and because elastic is expecting json, we 
are ALSO using mmjson after imfile read.


Is there any way to prevent this redundancy?(AKA: parsing to json twice)


don't serialize the json data to a text stream (in a file) such that you need to 
treat it as unknown data again when it's read???


(again, it's a problem of "doctor, it hurts when I hit my head with a hammer" 
:-)


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] mmnormalize documentation question

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, Rainer Gerhards wrote:


IIRC that was primarily added because otherwise the JSON gets mixed.
But maybe that is what you want...


Ok, I'll look at fixing that in the doc. Mixing the json is not the same as 
'undefined behavior'


David Lang


Rainer

2016-12-14 15:05 GMT+01:00 David Lang :

in the documentation, it says:

Note that mmnormalize should only be called once on each message. Behaviour
is undefined if multiple calls to mmnormalize happen for the same message.


why would this be the case? Is this actually the case?

There are a cases where it makes sense to call mmnormalize more than once
with different rulesets/parameters

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:


To solve this hopefully once and forever, I googled again for "sphinx
dot" and the first result seems to be fully appropriate:

http://www.sphinx-doc.org/en/1.4.8/ext/graphviz.html

As I said two weeks or so ago, we need to check if we have
sufficiently current sphinx on the involved systems, but the first
step is to read and use what is describe, to see if it actually fits
the need.


Yes, but my point is that doesn't properly render on github. I'll love to 
have documentation (with graphs) on github, but I'll have to stick to 
sphinx+rsyslog.com if that doesn't work. That's why I tried gravizzo (or 
whatever the name is)


I know I've seen discussions on these sorts of things in the past on other 
lists.


What we need here is makefile magic where a file can be in the repository, but 
also optionally generated by a build. If the file is up-to-date compared to it's 
source (later timestamp), the makefile doesn't try to build it, and therefor 
doesn't require the dependency of the tools needed for the build, but if the 
generated file is older than it's source, the make will look for the tools it 
requires to build the file (complaining if they aren't there), and then 
re-generate it.


If someone can do the research on how to best do this, we could also use it for 
the bison/yacc dependency.


This is good for generated files that don't change much, which both the diagrams 
and the grammer match


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] rsyslog-doc: dot graphs in doc

2016-12-14 Thread Rainer Gerhards 
2016-12-14 18:27 GMT+01:00 David Lang :
> On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:
>
>>> To solve this hopefully once and forever, I googled again for "sphinx
>>> dot" and the first result seems to be fully appropriate:
>>>
>>> http://www.sphinx-doc.org/en/1.4.8/ext/graphviz.html
>>>
>>> As I said two weeks or so ago, we need to check if we have
>>> sufficiently current sphinx on the involved systems, but the first
>>> step is to read and use what is describe, to see if it actually fits
>>> the need.
>
>
>> Yes, but my point is that doesn't properly render on github. I'll love to
>> have documentation (with graphs) on github, but I'll have to stick to
>> sphinx+rsyslog.com if that doesn't work. That's why I tried gravizzo (or
>> whatever the name is)
>
>
> I know I've seen discussions on these sorts of things in the past on other
> lists.
>
> What we need here is makefile magic where a file can be in the repository,
> but also optionally generated by a build. If the file is up-to-date compared
> to it's source (later timestamp), the makefile doesn't try to build it, and
> therefor doesn't require the dependency of the tools needed for the build,
> but if the generated file is older than it's source, the make will look for
> the tools it requires to build the file (complaining if they aren't there),
> and then re-generate it.
>
> If someone can do the research on how to best do this, we could also use it
> for the bison/yacc dependency.
>
> This is good for generated files that don't change much, which both the
> diagrams and the grammer match

I think all of this is already done and in place for over a year. The
problem is that mostolog insists that the doc happens on github, which
is not our intent nor anything we have tried so far.

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:


we are using RELP.
according to some comments in 
https://github.com/rsyslog/rsyslog-doc/pull/281, seems rulesets should have a 
queue to avoid "creating a temporary queue"


no such thing as a temporary queue


as we are looking for 0% loss...


under all conditions? including a fire in the server room or a metor hitting the 
building?


0% loss is a very strong statement, and really needs to be clarified. If you 
really do mean 0% loss under all conditions (includeing the building being 
destroyed), then rsyslog may not actually be the right tool for you.


Due to the performance impact of trying to comply with such a requirement, the 
cost of implementing such a system would also be extremely high


But almost nobody really means 0% loss under all conditions, so the first thing 
you really need to do is to think really hard about what the real requirements 
are. Are there conditions where you would be willing to have data lost if the 
building is destroyed, or some server looses power?



1. imrelp -> ruleset+main_queue(disk) is there any chance a message
  being lost between RELP reception and queueing?


no, RELP does not consider the data accepted (and send it's ack) unless the data 
is in the queue.


but main_queue being disk does not neccessarily mean that the log will survive 
under all conditions (if you allow the OS to buffer writes to disk, it could be 
lost in a crash, if you only write to one disk it could be lost if the disk 
fails, if you only write to one system, a fire in that system could destroy all 
disks, if you only write to systems in one datacenter, a bomb could destroy all 
the systems )



2. ruleset+main_queue(disk) -> mmjsonparse -> mmnormalize -> omfile is
  there any chance a message being lost anywhere?


that depends on how you configure omfile. If you allow the OS to buffer writes 
to disk... (see discussion above)


message processing (including mm modules) cannot cause data loss, but it does 
take time that the message spends in the queues, and if those queues are in 
ram...)



3. imfile -> omelasticsearch is there any change a message being lost?


for imfile -> rsyslog, that depends on the queues (see above)

for omeleasticsearch, that depends on the ES configuration. There are many ways 
that ES could loose a message if things crash at just the wrong time...


PS: using RELP, when there are connection issues we noticed some problems, 
bottlenecks and so. hence, we decided to use a file between RELP and elastic


let's talk about this more in the other thread. omfile/imfile is NOT the correct 
way to implement a buffer between rsyslog and ES.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread Rainer Gerhards 
2016-12-14 19:05 GMT+01:00 David Lang :
>> 3. imfile -> omelasticsearch is there any change a message being lost?
>
>
> for imfile -> rsyslog, that depends on the queues (see above)
>
> for omeleasticsearch, that depends on the ES configuration. There are many
> ways that ES could loose a message if things crash at just the wrong time...

At least some time ago (2 years?) ES did not care at all about loss.
The position at least at that time was that it is a search index, not
a data store. If something goes wrong, they said you should
re-populate the index from your actual log store.

I think the conversation is on the mailing list archive.

Rainer
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] global queue configuration?

2016-12-14 Thread mostolog--- via rsyslog 
Probably, carrying multiple conversations at the same time didn't help 
clarifying our concerns. My fault on that. Really sorry.



We know 0% loss is "impossible", but starting from there we'll like to 
have the /best/ system possible.


Considering we found some issues with RELP+full queues we still have to 
investigate, we thought it may worth using a file as an intermediate 
step. Is that such a BAD idea?



> yes, but to fill the queue, you need to fill the disk.

For reliability, we are using linkedlist+filename, and also setting a 
maxdiskspace, so that isn't valid for us.


Rainer suggested having an eye on "ultra-reliable message delivery", and 
seems this conversation has raised a few times...more reasons to add 
"document this" to my TODO list.


Regards

PS: As already said by David, teaching is the best way to learn. I'll 
try to worth the effort!

___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] HUP causes delay in message forwarding

2016-12-14 Thread Woodruff, Dan 
The config is quite extensive and has some sensitive stuff in it. The gist
of it is:

- all omfile and impstats outputs are in /var/log/collection and
subdirectories
- all queues are stored in /var/log/collection/rsyslog/queue
- listeners on ports 514, 10514, 10515, 10516, and 10517, both TCP and UDP
(for simpler rule set binding)

I understand the lack of full config is difficult. I guess my general
question is, besides all the places where logs are written out by omfile and
queues, are there other filesystem locations that have IO? Anything that
rsyslog does internally?

Thanks,
Dan

-Original Message-
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Monday, December 12, 2016 12:49 PM
To: rsyslog-users 
Subject: Re: [rsyslog] HUP causes delay in message forwarding

It's really going to depend on your config, can you post it?

David Lang
___
rsyslog mailing list
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.adiscon.net_mailma
n_listinfo_rsyslog&d=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=
0S5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=1rnDCOWeZhbQ7sY00G9AFl7G5aiCkK
3mWccUN3CUibM&s=5TLo9IbyIvV17FBucFEUPcAS6p52vyZiByPgrg1lLLA&e= 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.rsyslog.com_professi
onal-2Dservices_&d=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S
5vJ8-FmQy6Qk5D6_T4U9EYbkCcMc4ijDuyUem89Lk&m=1rnDCOWeZhbQ7sY00G9AFl7G5aiCkK3m
WccUN3CUibM&s=uw2dB9xQH2fWbVkeTi5ioWaFh6NjHeXVmkWj1yv-SP8&e= 
What's up with rsyslog? Follow
https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_rgerhards&d
=CwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=0S5vJ8-FmQy6Qk5D6_T4
U9EYbkCcMc4ijDuyUem89Lk&m=1rnDCOWeZhbQ7sY00G9AFl7G5aiCkK3mWccUN3CUibM&s=uG6G
pZ7FhXkVc2aCU-H9Q3lT8lxYr6suf3hBVM_EmhY&e= 
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.


smime.p7s
Description: S/MIME cryptographic signature
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] our requirement is 0% loss was: Re: global queue configuration?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, David Lang wrote:


no such thing as a temporary queue


as we are looking for 0% loss...


under all conditions? including a fire in the server room or a metor hitting 
the building?


0% loss is a very strong statement, and really needs to be clarified. If you 
really do mean 0% loss under all conditions (includeing the building being 
destroyed), then rsyslog may not actually be the right tool for you.


Due to the performance impact of trying to comply with such a requirement, 
the cost of implementing such a system would also be extremely high


But almost nobody really means 0% loss under all conditions, so the first 
thing you really need to do is to think really hard about what the real 
requirements are. Are there conditions where you would be willing to have 
data lost if the building is destroyed, or some server looses power?


Adding to this, if you have your systems sending logs to two different 
datacenters around the world you are generating an additional window for the 
loss of the message.


If the sending server 'goes awawy' before the systems several thousand miles 
away have received the logs, the log will be lost.



databases have ACID guarantees, which mean that a database transaction (in this 
case a write) is:


Atomic: The entire write succeeds or none of it does
Consistant: there is never a window where the database is not in a valid state

Isolation: no interactions between different transactions happening at the same 
time are allowed (they all must only depend on transactions that were complete 
before they started)


Durable: once a transaction is complete, a system crash will not erase the 
transaction


But it's also important to note that this does not protect against all loss of 
data. Disk failure, OS corruption, fire, etc are not part of the threat model 
that databases are protecting themselves against.


To protect against these sorts of problems, databases use backups and 
replication, which always leave a window of vulnerability where the most recent 
data can be lost (absent all other issues, the speed of light prevents truely 
simultanious replication)


One way to deal with this is two phase commits [2], which still have failure 
modes that require that the admin go in and figure out what should have 
happened. They just make it so that the admin has the ability to use their 
judgement.




It's never possible to guarantee 0% chance of loss. Even the various space 
programs with virtually unlimited budgets are unable to do that. Just look at 
the various high-profile Mars lander failures and you will see that bugs are 
going to happen, however much you try to avoid them



Once you accept the fact that you really don't have a hard requirement for 0% 
loss, you then need to start talking about what you're real requirement is.


If you are a university and someone blows up your datacenter, is it really a 
requirement to have the log message that happened during the time between when 
the bomb went off and the blast destroyed the server safe somewhere? or would 
people understand that logs generated less than a minute before the bomb went 
off are not going to be able to be recovered?


0% loss while everything is operating normally is a very reasonable requirement 
to talk about.


0% loss in the face of network outages is a reasonable requirement to talk about 
(how long an outage are you required to survive? a few seconds, a day, a week, a 
year? the answer will change what you implement)


0% loss in the face of server shutdowns is a reasonable requirement to talk 
about (even many power failures can be handled)


but there are categories of failures that you cannot guarantee that you will 
survive. These include:


  software bugs

  system failures (crashes, some power failures)

  failures of multiple components of the systems

There are things that you can do to reduce the probability of such failures 
causing you to loose logs, but these all involve some form of redundancy and 
probability calculations along the lines of "one server has a 90% chance of 
working, so two servers have a 99% chance of working, three servers have a 99.5% 
chance of working..."




But even with all of this, you need to remember that more complex systems are 
more likely to fail. So the more redundancy you add to a system, the more likely 
that something is going to fail, and the redundancy mechanism is one of the 
things that can fail.


I've had very expensive IBM servers running mission critical applications fail 
BECAUSE of the redundancy built in to them. They had multiple power supplies in 
the system (to protect against power failures), but the board that coordinated 
the power and determined which power supplies was working had a problem and 
declared that they all failed when in fact they were all working properly. This 
caused multiple outages over months before it was tracked down



You protect against failures by adding complexity
The more compl

Re: [rsyslog] global queue configuration?

2016-12-14 Thread David Lang 

On Wed, 14 Dec 2016, mostolog--- via rsyslog wrote:


yes, but to fill the queue, you need to fill the disk.


For reliability, we are using linkedlist+filename, and also setting a 
maxdiskspace, so that isn't valid for us.


ahh, but if the disk (or your quota) fills up, then omfile isn't able to write 
the log out to disk, so you have the same problem.


you either allow sufficient space to allow you to survive a 'long enough' outage 
for you to get in and do something, or you don't.


If you are able to allocate enough space, then the queue can do the job.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] HUP causes delay in message forwarding

2016-12-14 Thread David Lang 
no, rsyslog doesn't do any disk I/O other than what's in the config (queues and 
files)


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Easy way to parse key/value logs ?

2016-12-14 Thread Benoit DOLEZ 

Ok. Thanks. I'll give you some news in a few days ...

I've just seen liblognorm sources and I saw "iptables" parser has been 
renamed "v2-iptables" in "version=2" mode. Many people have questions 
about problems with iptables parser that doesn't work  ... this is the 
probable reason.


Benoit

Le 14/12/2016 à 14:07, David Lang a écrit :

On Wed, 14 Dec 2016, Benoit DOLEZ wrote:


I have logs from fortigate with many variantes of 20 to 40
key[=("value"|value|)] fields separated with spaces .

It seems "iptables" is the only (old) rsyslog normalizer to parse kv
strings and, probably, it don't parse quoting values like
"lognorm/string" do it.

Is there a simple method to build a $! tree from key/value string like
mmparsejson do it for json ?


if the iptables type doesn't work for your logs in the mmnormalize
ruleset, then no, there currently isn't a good way.


If none, I can make it. I think it's better to write a message
modification module than a new lognorm format. Do you agree ?


No, a new type in mmnormalize can be used for a lot more things than a
dedicated mm* module.

a dedicated mm* module will require that the entire log message be the
name-value set while a new type in liblognorm will handle that case, but
also handle cases where there is just one name-value pair inside a
larger message.

note that liblognorm already has repeat, so it can handle a lot of
instances of a given type, it just needs to learn how to handle a single
name-value pair. The code to do this is mostly already there in
liblognorm, it's got two issues:

1. it's not general purpose enough (no ability to specify the syntax
separators)

2. it's not exposed as a user-visible type, it's just used as a
subroutine for other types.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.


--
Benoit DOLEZ, POM Monitoring, http://www.pom-monitoring.com/
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

[rsyslog] Potential memory leak in rsyslog v 8.23.0

2016-12-14 Thread Shatarupa Nandi via rsyslog 
Hello,

We are observing rsyslogd using an excessive amount of memory after bumping
from v 8.22.0 to v 8.23.0.

More info at: https://github.com/cloudfoundry/bosh/issues/1537

Any help is appreciated.

Thanks!
Rupa
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Easy way to parse key/value logs ?

2016-12-14 Thread Benoit DOLEZ 

Very interesting ...

There is a type in liblognorm 'name-value-list' that do what I want! It 
works except for quoted string ...


This is the patch for supporting quoted strings :
https://github.com/rsyslog/liblognorm/commit/090e2d2889d0fd6cab97b561414388e273c5484a

Now my parser is :
--
version=2
rule=test:%[
  {"type": "name-value-list"}
  ]%
--

Are you ok ? Do you want a pull request ?

Regards

Benoit


Le 14/12/2016 à 22:44, Benoit DOLEZ a écrit :

Ok. Thanks. I'll give you some news in a few days ...

I've just seen liblognorm sources and I saw "iptables" parser has been
renamed "v2-iptables" in "version=2" mode. Many people have questions
about problems with iptables parser that doesn't work  ... this is the
probable reason.

Benoit

Le 14/12/2016 à 14:07, David Lang a écrit :

On Wed, 14 Dec 2016, Benoit DOLEZ wrote:


I have logs from fortigate with many variantes of 20 to 40
key[=("value"|value|)] fields separated with spaces .

It seems "iptables" is the only (old) rsyslog normalizer to parse kv
strings and, probably, it don't parse quoting values like
"lognorm/string" do it.

Is there a simple method to build a $! tree from key/value string like
mmparsejson do it for json ?


if the iptables type doesn't work for your logs in the mmnormalize
ruleset, then no, there currently isn't a good way.


If none, I can make it. I think it's better to write a message
modification module than a new lognorm format. Do you agree ?


No, a new type in mmnormalize can be used for a lot more things than a
dedicated mm* module.

a dedicated mm* module will require that the entire log message be the
name-value set while a new type in liblognorm will handle that case, but
also handle cases where there is just one name-value pair inside a
larger message.

note that liblognorm already has repeat, so it can handle a lot of
instances of a given type, it just needs to learn how to handle a single
name-value pair. The code to do this is mostly already there in
liblognorm, it's got two issues:

1. it's not general purpose enough (no ability to specify the syntax
separators)

2. it's not exposed as a user-visible type, it's just used as a
subroutine for other types.

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.




--
Benoit DOLEZ, POM Monitoring, http://www.pom-monitoring.com/
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.