[rsyslog-notify] Forum Thread: help with mmnormalize rule + using multiple templates - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Mon Feb 17 09:51:09 CET 2014
User: sjattah
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24234#p24234
Message:
----------
First: I have problem with a rule for a log line from postfix
An example of a log line:
Feb 12 10:39:01 bp-mta06 postfix/local[4369]: 8ACC51001F0:
to=<root at mta06.bitpro.no>, orig_to=<root>, relay=local, delay=0.06,
delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
This is the filter I've written, but it doesn't work:
prefix=%date:date-rfc3164% %hostname:word%
rule=to: postfix/local[%notused:number%]: %mailid:char-to:\x3a%:
to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word%
delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word%
status=%status:word%%2notused3:char-to:)%)
What is causing the problem is this: '%mailid:char-to:\x3a%:'
If I replace it with ''%mailid:word%' I get all the fields that I want, but
I do not want the ':' in the mailid field.
Second:
The log data will be stored in a mysql database, with multiple tables
(mail, router, etc.).
In order to do that I need several templates with different insert
statements. One for each table.
I've looked at this page:
<!-- m --><a class="postlink"
href="http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/,and">http://www.rsyslog.com/using-rsyslog-mm
... lyzer/,and</a><!-- m --> it has one rule without a name, and a single
$template line.
It seems like there is no 'rule' option (man page rsyslog.conf(5)) for a
'$template' line. Is this correct? If so, how am I going to use several
insert statements?
Thanks.
More information about the rsyslog-notify
mailing list