log the message with the template RSYSLOG_DebugFormat and it will show you every
value it has parsed. You may need to use mmnormalize or mmjsonparse (the first
is a batter long-term option as it is far more flexible) to extract the values
from json if they aren't already parsed. look for a json string in the $!
section, every value there can be individually addressed.
David Lang
On Sun, 2 Feb 2020,
Patrick Leung wrote:
Date: Sun, 2 Feb 2020 09:30:55 +0000 (UTC)
From: Patrick Leung <[email protected]>
To: Patrick Leung via rsyslog <[email protected]>,
David Lang <[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
Hello David,Indeed the information you have provided is useful. Another follow
up question.
In case of using imjournal to filter systemd-journald log that is being
forwarded to rsyslog-v8, what property I can use in rsyslog config for such log
filtering? What if the journald log entry contain custom field that I want to
use as the filtering condition?
Thanks,Patrick
On Friday, January 3, 2020, 5:36:16 p.m. PST, David Lang <[email protected]>
wrote:
rsyslog does not change it's config during a run (with the exception of the
table_lookup() function, which may work for you)
syslog can filter on anything it knows about, so if you fetch from journald with
imjournal so that you can see all the metadata that journald takes the time to
lookup, you can filter on any of it. If you have journald write to a socket for
rsyslog to read, journald doesn't send that metadata (and refuses to consider
doing so, I've asked)
does this answer your questions?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
