[rsyslog-notify] Forum Thread: Re: Perform DNS lookup on $hostname - (Mode 'edit_last_post')

noreply at adiscon.com noreply at adiscon.com
Tue Jan 6 20:59:38 CET 2015 

User: Jzeolla 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25155#p25155

Message: 
----------
[quote="dlang":b12cudr8]in your output template, add @cee: before the first
{ character. This is a legacy requriement due to the fact that this support
was put in for cee stuff and Rainer wanted to make sure that it didn't try
to decode other things. This is something that should be changed, but
hasn't been yet.

The other thing is that your template isn't a valid syslog message, a valid
syslog message need to be

<%pri%>%timestamp% %hostname% %syslogtag% and then the message here

since you are missing all of that header info in your template, the copy of
rsyslog that's parsing it isn't finding the syslogtag, programname,
hostname, and timestamp because you aren't putting them in the
template.[/quote:b12cudr8]
Thank you for the quick turnaround.  I will have "@cee: " added before the
start of the JSON curly brackets.  

However, once it parses properly on my end, I am still not clear on what it
would look like for me to refer to parts of the JSON.  For instance, if I
was sent:

[quote:b12cudr8]'@cee:
{"message":"testing","syslogtag":"is:","hostname":"This","fromhost":"REDACTED","fromhost-ip":"REDACTED","facility":"user","priority":"notice","timereported":"2015-01-06T13:52:38.339749-05:00","timegenerated":"2015-01-06T13:52:38.339749-05:00"}'[/quote:b12cudr8]

How then would I do

[code:b12cudr8]template(name="forwardedtome" type="string"
string="<%pri%>%timereported% %fromhost-ip% %syslogtag%%msg%\n")
template(name="default" type="string"
string="/data/syslog/%$!forwardedtome!fromhost-ip%/%$year%/%$month%/%!forwardedtome!fromhost-ip%-%$year%-%$month%-%$day%.log")

if (($!forwardedtome!message contains "keyword") and
($!forwardedtome!fromhost contains_i "hostname")) then {
action(...template="default"...)
} else {
action (...template="default2"...)
}[/code:b12cudr8]

Is it "%$!all-json!objectname%" per <!-- m --><a class="postlink"
href="http://www.rsyslog.com/doc/property_replacer.html">http://www.rsyslog.com/doc/property_replacer.html</a><!--
m -->?

More information about the rsyslog-notify mailing list