[rsyslog] Substract string from message

Radu Gheorghe radu0gheorghe at gmail.com
Mon Jan 14 22:05:40 CET 2013


Hi Xavier,

I see 3 possible options here:
1. Use FromChar from Property Replacer:
http://www.rsyslog.com/doc/property_replacer.html

But this assumes that your "mydirectory" string has a fixed length,
otherwise your messages would be cut unevenly.

2. Use regular expressions (same Property Replacer link should give an idea)

Besides it being slow, I'm not sure if it will actually work. AFAIK
rsyslog's regexps don't get the lazy (?) quantifier.

3. Use mmnormalize to parse your logs and print out the fields you need. I
haven't used this myself but I think it should work. Here are some
resources:
http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/
http://www.liblognorm.com/help/creating-a-rulebase/

Best regards,
Radu


2013/1/14 Xavier Fustero <xfustero at gmail.com>

> Hi all,
>
> I would like to ask if anyone can help me on getting this fixed.
>
> I have several clients sending logs to a central rsyslog server. These
> clients add a tag called *mydirectory* which is different according the
> client. Later on the server extracts this tag to create a dynamic log file
> on its side.
>
> Client:
> $template GroupApp,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME%
> %syslogtag%
> *mydirectory*:%msg%\n"
> local0,local1.* :omrelp:*rsyslog_server*:*myport*;GroupApp
>
> Server:
> # Dynamic template for groupping applications under its mydirectory
> $template Dyn_AppLogs, "/my_logs/%msg:F,58:1:%/%APP-NAME%.log"
>
> This %msg:F,58:1:% seems to be working fine and I get the expected
> directories created like:
>
> /my_logs/mydirectory1/lala.log
> /my_logs/mydirectory2/lele.log
>
> My problem is that I also log mydirectory1,2 in the logs. It is not a big
> deal but I would like to get rid of this. Can't find the way to remove it
> from the message.
>
> Thanks a log,
> Xavi
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


More information about the rsyslog mailing list