<div dir="ltr"><div><div><div>I am CC'ing the rsyslog mailing list as the issue is more related the rsyslog and syslog in general. I suggest to subscribe in order to receive follow-ups.<br><br></div>I think the problem you see is based on the fact that RFC3164 - which is used to parse these types of messages - specifies that everything after the TAG is the message. Usually, messages have "TAG: mm", note the space before mm. This is where it stems from.<br>
</div><br>In regard to lognorm rules, you can simply duplicate the entries with and without a space in front. It's a bit ugly, but a work-around you can use right now. <br><br></div>HTH<br>Rainer <br></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Fri, Apr 4, 2014 at 2:36 PM, Davor Saric <span dir="ltr"><<a href="mailto:davor.saric@srce.hr" target="_blank">davor.saric@srce.hr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
I have a central rsyslog server, and rsyslog clients that ship their logs to central rsyslog. Rsyslog clients on servers are v5 and central rsyslog is v7. Central rsyslog sends incoming logs of clients to elasticsearch and also ship his own local logs of central server. On clients, I’m using imfile modul to read apache logs and also use imfile on central rsyslog server to ship his own apache logs to elasticsearch. The problem is that apache logs that are coming from clients have a space in msg part so normalize rule for those logs is:<br>
rule=: %client_ip:word% %rlogname:word% %ruser:word% [%apache_date:word% %tz:char-to:]%] "%method:word% %url:word% %pver:char-to:"%" %status:word% %bytesend:word% "%referrer:char-to:"%" "%useragent:char-to:"%"<br>
<br>
And normalize rule for central his own local apache logs is:<br>
rule=:%client_ip:word% %rlogname:word% %ruser:word% [%apache_date:word% %tz:char-to:]%] "%method:word% %url:word% %pver:char-to:"%" %status:word% %bytesend:word% "%referrer:char-to:"%" "%useragent:char-to:"%"<br>
<br>
The only difference between the rules is that the one that normalize incoming apache logs from the clients has one space at first, and the one that normalize local apache logs of central rsyslog server has no space.<br>
<br>
Here is template for incoming apache logs and the template for local apache logs. I had to use position.from=2 because of the space in msg of incoming logs. If I use the same template for local apache logs, the first character is cut of which is first number of ip adress of client:<br>
<br>
template(name="httpd-access_<u></u>remote" type="list") {<br>
property(name="msg" position.from="2″)<br>
constant(value="\n")<br>
}<br>
<br>
template(name="httpd-access_<u></u>local" type="list") {<br>
property(name="msg")<br>
constant(value="\n")<br>
}<br>
<br>
As I can see, the msg property of incoming apache logs have a space at beggining but when reading local logs through imfile the msg property doesn't have empty space in the beginning.<div class=""><br>
<br>
With regards,<br>
-- <br>
Davor Saric, System Engineer<br>
Computer Systems Department<br>
<br>
SRCE - University of Zagreb University Computing Center, <a href="http://www.srce.unizg.hr" target="_blank">www.srce.unizg.hr</a><br>
<a href="mailto:davor.saric@srce.hr" target="_blank">davor.saric@srce.hr</a>, tel: +385 1 616 58 01, fax: +385 1 616 55 59<br></div>
______________________________<u></u>_________________<br>
Lognorm mailing list<br>
<a href="mailto:Lognorm@lists.adiscon.com" target="_blank">Lognorm@lists.adiscon.com</a><br>
<a href="http://lists.adiscon.net/mailman/listinfo/lognorm" target="_blank">http://lists.adiscon.net/<u></u>mailman/listinfo/lognorm</a><br>
</blockquote></div><br></div>