Re: [rsyslog] rsyslog journald filtering

Tue, 18 Feb 2020 16:50:07 -0800 

Hi,
Sorry about the illegible config file content. Please allow me to try again. My 
system is using rsyslog_8.1903 from Yocto meta-openembedded/warrior that has 
systemd-journald_v241 forward to syslog. "/etc/rsyslog.conf" includes a custom 
rsyslog configuration "/etc/rsyslog.d/custom-rsyslog.conf". Please see below 
the configuration files.

Given these configuration files, I obtain ONLY logging entries from imuxsock. 
The "RSYSLOG_DebugFormat" gives me the syslog message, e.g.

Debug line with all properties:
FROMHOST: 'xxx', fromhost-ip: '127.0.0.1', HOSTNAME: 'xxx', PRI: 30,
syslogtag 'systemd[1]:', programname: 'systemd', APP-NAME: 'systemd', PROCID: 
'1', MSGID: '-',
TIMESTAMP: 'Feb 18 16:17:16', STRUCTURED-DATA: '-',
msg: ' Started machine-id persistence.'
escaped msg: ' Started machine-id persistence.'
inputname: imuxsock rawmsg: '<30>Feb 18 16:17:16 systemd[1]: Started machine-id 
persistence.'
$!:{ "msg": "Started machine-id persistence." }
$.:
$/:

I would like to craft a rsyslog configuration such that both imuxsock and 
imjournal are used, and I will have a filtering base on the meta data in 
structured journald log fetched from imjournal.

I hope the given information clarifies my approach.


Thanks,
Patrick
==============================
[/etc/rsyslog.conf]
module(load="imuxsock"
  SysSock.Use="on"
  SysSock.Name="/run/systemd/journal/syslog")

module(load="builtin:omfile"
  dirCreateMode="0755"
  fileCreateMode="0640")

module(load="mmjsonparse")
action(type="mmjsonparse")

# Set the default permissions
$FileOwner syslog
$FileGroup syslog
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

include(file="/etc/rsyslog.d/*.conf" mode="required")

==============================

[/etc/rsyslog.d/custom-rsyslog.conf]
module(load="imjournal" PersisStateInterval="100")
action(type="mmjsonparse")
if ( $inputname == "imuxsock" ) then {
    action(type="omfile" file="/var/log/syslog/imuxsock.log" 
template="RSYSLOG_DebugFormat")
else if ( $inputname == "imjournal" ) then {
    action(type="omfile" file="/var/log/syslog/imjournal.log" 
template="RSYSLOG_DebugFormat")
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to