[rsyslog-notify] Forum Thread: RSYSLOG_TraditionalFileFormat template - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Feb 11 11:32:10 CET 2014 

User: n3tb0y 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24210#p24210

Message: 
----------
Hi  Guys ,

I have a question regarding RSYSLOG_TraditionalFileFormat , does anybody
know how to build exactly same file format of 
RSYSLOG_TraditionalFileFormat with custom template ? 
Also what is the real difference between %msg% and %rawmsg%  variables , 

I have a problem where RSYSLOG daemon can not write %msg% to the file but
it can write %rawmsg%.  From the remote end i can see that the raw message
is coming with bellow header. 

2014-02-11T11:59:59.999943+03:00 <DeviceHostname> .  

I was using RSYSLOG_TraditionalFileFormat and it was ok until remote end
upgrade his device. The only difference they state was comply with RFC3339
time format. After this RSYSLOG_TraditionalFileFormat  stop working for me.
Only entry I can see in the file was Hostname of the device.  Cause of this
I build a custom template for myself. But this time I got strange behavior
of RSYSLOG.  

For example 
1- it is locking the files and I can not delete them unless I did not
restart the service.  What could be the cause ? It was not doing that
before
2- Strange space or similar character appears and the end of line and it is
breaking the parsing process.  I tried to use 'drop-last-lf' but did not
work for me , I am suspecting may be it is due to remote device.  Cause I
am using %rawmsg% in the template . How can I get rid of them ? 

My Infastructure is  ,  1 RSYSLOG server , (32 Core , 64GB RAM , 4TB )  ,
40k to 50k lines is coming pre second from the remote end.   Total file for
one hour is around 34 - 35 GB . Rsyslog version ins 5.8.10 and it is on
Redhat 5 Server.  

So here is my partial configuration 

# File Name Definition
$template
DynFile,"/<folder-name>/<folder-name>/%HOSTNAME:::lowercase%/%timegenerated:1:10:date-rfc3339%_%$HOUR%"

# File Format Definition
$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% []
%rawmsg:7:29:%%rawmsg:36:$:drop-last-lf%\n

# Rules
:source , !isequal , "localhost" ?DynFile;FileFormat


Thanks for your answer

More information about the rsyslog-notify mailing list