On Wed, 5 Feb 2020, Patrick Leung wrote:
Thank you again for the information. Again, if I load both imuxsock and
imjournal, how do I associate filters to each input module?
as you note, imjournal doesn't support binding to a ruleset, so logs from it
just go into the default ruleset.
if you log with the template RSYSLOG_DebugFormat you may find something you can
filter on (I suspect that $input will work, but I haven't tested it)
so something like
if $input == 'imjournal' and <other filter> then { action() }
David Lang
e.g. rsyslog.confif ( filter1_condition ) then { action(xxx) }
if ( filter2_condition ) then { action(yyy) }Associate "filter1" to process messages
received by imuxsock and "filter2" to process messages received by imjournalimuxsock
supports ruleset binding; but not imjournal.
On Monday, February 3, 2020, 04:12:04 p.m. EST, David Lang <[email protected]>
wrote:
On Mon, 3 Feb 2020, Patrick Leung wrote:
Thank you for your clarification once again. If I understand it right, the
use of RSYSLOG_DebugFormat template gives me the generated syslog file that
contains structured journald log content, filtering is handled prior to
output log file generation.
not quite, filtering happens how you define it in the config file.
the debug format shows you what the contents of all the variables are at the
point in the config file that you write the log with that format.
This lets you see the contents to understand what your filters have to work
with.
filters can be the traditional facility.severity (i.e. mail.info) format, or
they can be much more powerful if..then formats
What I would like to achieve:forward journald log to rsyslog, and use
rsyslog's filtering capabilities to filter journald master log file to
individual log file base on matched ruleset in rsyslog. I may want to filter
journald log base on systemd units and container services to their individual
log files.
that's trivail
1) Is it possible to load both imuxsock and imjournal modules when starting
rsyslog,
yes, but if you have journald deliver the messages to imuxsock and have rsyslog
fetch the messages via imjournal you will get two copies of every message
and have these modules process journald log and generate individual
log file base on the matching ruleset?
yes, rsyslog runs every log message through the ruleset(s) in the config file
2) If imjournal is loaded, I am not
crystal clear on rsyslog config syntax to set up the ruleset for structured
journald log entry filtering. Essentially I am looking for the equivalent
of, for example, "journalctl CONTAINER_ID=<id> > /path/to/container_id_log".
you would do something like
if $!CONTAINER_ID == "id" then /path/to/file
note that you can also use dynamic file names so that you can use variables in
the path, so you could end up writing to /path/to/ID/file (look for dynafile)
3) $programname property (which is part of TAG stemmed from MSG syslog fornat
AFAIK) is available for ruleset matching when imuxsock is used?
programname is available with both imuxsock and imjournal
David Lang
Thanks again for help.
Thanks,Patrick
On Sunday, February 2, 2020, 04:59:50 a.m. EST, David Lang <[email protected]>
wrote:
log the message with the template RSYSLOG_DebugFormat and it will show you every
value it has parsed. You may need to use mmnormalize or mmjsonparse (the first
is a batter long-term option as it is far more flexible) to extract the values
from json if they aren't already parsed. look for a json string in the $!
section, every value there can be individually addressed.
David Lang
On Sun, 2 Feb 2020,
Patrick Leung wrote:
Date: Sun, 2 Feb 2020 09:30:55 +0000 (UTC)
From: Patrick Leung <[email protected]>
To: Patrick Leung via rsyslog <[email protected]>,
David Lang <[email protected]>
Subject: Re: [rsyslog] rsyslog journald filtering
Hello David,Indeed the information you have provided is useful. Another follow
up question.
In case of using imjournal to filter systemd-journald log that is being
forwarded to rsyslog-v8, what property I can use in rsyslog config for such log
filtering? What if the journald log entry contain custom field that I want to
use as the filtering condition?
Thanks,Patrick
On Friday, January 3, 2020, 5:36:16 p.m. PST, David Lang <[email protected]>
wrote:
rsyslog does not change it's config during a run (with the exception of the
table_lookup() function, which may work for you)
syslog can filter on anything it knows about, so if you fetch from journald with
imjournal so that you can see all the metadata that journald takes the time to
lookup, you can filter on any of it. If you have journald write to a socket for
rsyslog to read, journald doesn't send that metadata (and refuses to consider
doing so, I've asked)
does this answer your questions?
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
