Thank you for your clarification once again. If I understand it right, the
use of RSYSLOG_DebugFormat template gives me the generated syslog file that
contains structured journald log content, filtering is handled prior to output
log file generation.
What I would like to achieve:forward journald log to rsyslog, and use rsyslog's
filtering capabilities to filter journald master log file to individual log
file base on matched ruleset in rsyslog. I may want to filter journald log base
on systemd units and container services to their individual log files.
1) Is it possible to load both imuxsock and imjournal modules when starting
rsyslog, and have these modules process journald log and generate individual
log file base on the matching ruleset?2) If imjournal is loaded, I am not
crystal clear on rsyslog config syntax to set up the ruleset for structured
journald log entry filtering. Essentially I am looking for the equivalent of,
for example, "journalctl CONTAINER_ID=<id> > /path/to/container_id_log".3)
$programname property (which is part of TAG stemmed from MSG syslog fornat
AFAIK) is available for ruleset matching when imuxsock is used?
Thanks again for help.
Thanks,Patrick
On Sunday, February 2, 2020, 04:59:50 a.m. EST, David Lang <[email protected]>
wrote:
log the message with the template RSYSLOG_DebugFormat and it will show you
every
value it has parsed. You may need to use mmnormalize or mmjsonparse (the first
is a batter long-term option as it is far more flexible) to extract the values
from json if they aren't already parsed. look for a json string in the $!
section, every value there can be individually addressed.
David Lang
On Sun, 2 Feb 2020,
Patrick Leung wrote:
> Date: Sun, 2 Feb 2020 09:30:55 +0000 (UTC)
> From: Patrick Leung <[email protected]>
> To: Patrick Leung via rsyslog <[email protected]>,
> David Lang <[email protected]>
> Subject: Re: [rsyslog] rsyslog journald filtering
>
> Hello David,Indeed the information you have provided is useful. Another
> follow up question.
> In case of using imjournal to filter systemd-journald log that is being
> forwarded to rsyslog-v8, what property I can use in rsyslog config for such
> log filtering? What if the journald log entry contain custom field that I
> want to use as the filtering condition?
>
> Thanks,Patrick
>
> On Friday, January 3, 2020, 5:36:16 p.m. PST, David Lang <[email protected]>
>wrote:
>
> rsyslog does not change it's config during a run (with the exception of the
> table_lookup() function, which may work for you)
>
> syslog can filter on anything it knows about, so if you fetch from journald
> with
> imjournal so that you can see all the metadata that journald takes the time to
> lookup, you can filter on any of it. If you have journald write to a socket
> for
> rsyslog to read, journald doesn't send that metadata (and refuses to consider
> doing so, I've asked)
>
> does this answer your questions?
>
> David Lang
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
