[rsyslog-notify] Forum Thread: Re: Perform DNS lookup on $hostname - (Mode 'edit_last_post')

noreply at adiscon.com noreply at adiscon.com
Tue Jan 6 20:30:21 CET 2015 

User: Jzeolla 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25153#p25153

Message: 
----------
So I am still running into some issues.  

The template that is used to send me my syslog in JSONF is:

[code:2bvyijpg]$template
forwardFormatJSON,"{%msg:::jsonf:message%,%HOSTNAME:::jsonf:hostname%,%fromhost:::jsonf:fromhost%,%fromhost-ip:::jsonf:fromhost-ip%,%syslogfacility-text:::jsonf:facility%,%syslogpriority-text:::jsonf:priority%,%timereported:::date-rfc3339,jsonf%,%timegenerated:::date-rfc3339,jsonf%}"[/code:2bvyijpg]


[b:2bvyijpg][u:2bvyijpg]First[/u:2bvyijpg][/b:2bvyijpg]
When I turn on RSYSLOG_DebugFormat and look at what I'm being sent, I get
the following:

[quote:2bvyijpg]syslogtag '{"message":', programname: '{"message"',
APP-NAME: '{"message"', PROCID: '-', MSGID: '-',
[/quote:2bvyijpg]

Here is the rawmsg:

[quote:2bvyijpg]inputname: imtcp rawmsg:
'{"message":"testing","syslogtag":"is:","hostname":"This","fromhost":"REDACTED","fromhost-ip":"REDACTED","facility":"user","priority":"notice","timereported":"2015-01-06T13:52:38.339749-05:00","timegenerated":"2015-01-06T13:52:38.339749-05:00"}'
[/quote:2bvyijpg]

Receiving this JSON appears to break my $syslogtag, $programname, and
$APP-NAME.  Is this a known issue?  I am running:

[quote:2bvyijpg]rsyslogd 7.6.7, compiled with:
	FEATURE_REGEXP:				Yes
	GSSAPI Kerberos 5 support:		Yes
	FEATURE_DEBUG (debug build, slow code):	No
	32bit Atomic operations supported:	Yes
	64bit Atomic operations supported:	Yes
	Runtime Instrumentation (slow code):	No
	uuid support:				Yes
	Number of Bits in RainerScript integers: 32 (due to too-old json-c lib)
[/quote:2bvyijpg]


[u:2bvyijpg][b:2bvyijpg]Second[/b:2bvyijpg][/u:2bvyijpg]
When I try something like this:

[code:2bvyijpg]template(name="default" type="string"
string="/data/syslog/%fromhost-ip%/%$year%/%$month%/%fromhost-ip%-%$year%-%$month%-%$day%.log")
template(name="logprobe_json_parse" type="string" string="%timereported%
%fromhost-ip% %msg%\n")
ruleset(name="test") {
        action(type="mmjsonparse")
        action(type="omfile" dynaFile="default"
template="logprobe_json_parse" dirCreateMode="0755" dirGroup="root"
dirOwner="root" fileOwner="root" fileGroup="root" fileCreateMode="0644")
        stop
}
module(load="imtcp" MaxSessions="2000" StreamDriver.mode="1"
StreamDriver.authmode="anon")
input(type="imtcp" port="514" ruleset="test")
[/code:2bvyijpg]

I get 

[quote:2bvyijpg]Jan  6 14:07:41 128.2.156.35
"testing","syslogtag":"is:","hostname":"This","fromhost":"REDACTED","fromhost-ip":"REDACTED","facility":"user","priority":"notice","timereported":"2015-01-06T14:07:41.152316-05:00","timegenerated":"2015-01-06T14:07:41.152316-05:00"}
[/quote:2bvyijpg]

I have also tried:
[code:2bvyijpg]template(name="default" type="string"
string="/data/syslog/%fromhost-ip%/%$year%/%$month%/%fromhost-ip%-%$year%-%$month%-%$day%.log")
template(name="logprobe_json_parse" type="string" string="%timereported%
%fromhost-ip% %syslogtag%%msg%\n")
ruleset(name="test") {
        action(type="mmjsonparse")
        action(type="omfile" dynaFile="default"
template="logprobe_json_parse" dirCreateMode="0755" dirGroup="root"
dirOwner="root" fileOwner="root" fileGroup="root" fileCreateMode="0644")
        stop
}
module(load="imtcp" MaxSessions="2000" StreamDriver.mode="1"
StreamDriver.authmode="anon")
input(type="imtcp" port="514" ruleset="test")[/code:2bvyijpg]

which provides me with

[quote:2bvyijpg]Jan  6 14:09:23 128.2.156.35
{"message":"testing","syslogtag":"is:","hostname":"This","fromhost":"VPN-172-31-25-190.VPN.CMU.LOCAL","fromhost-ip":"172.31.25.190","facility":"user","priority":"notice","timereported":"2015-01-06T14:09:23.374875-05:00","timegenerated":"2015-01-06T14:09:23.374875-05:00"}
[/quote:2bvyijpg]

This looks related to the prior issue where %syslogtag% is '{"message":'.




I am simply looking to do something like:

[code:2bvyijpg]template(name="default" type="string"
string="/data/syslog/%$!forwardedtome!fromhost-ip%/%$year%/%$month%/%!forwardedtome!fromhost-ip%-%$year%-%$month%-%$day%.log")

if (($!forwardedtome!message contains "keyword") and
($!forwardedtome!fromhost contains_i "hostname")) then {
action(...template="default"...)
} else {
action (...template="default2"...)
}[/code:2bvyijpg]

More information about the rsyslog-notify mailing list