Thanks for clarifying David. I could see the if statement was otherwise
working
Here is an example debug line
Debug line with all properties:
FROMHOST: 'mcox-acs-test', fromhost-ip: '127.0.0.1', HOSTNAME:
'mcox-acs-test', PRI: 37,
syslogtag 'aide[2987]:', programname: 'aide', APP-NAME: 'aide', PROCID:
'2987', MSGID: '-',
TIMESTAMP: 'Jan 6 14:06:02', STRUCTURED-DATA: '-',
msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)'
escaped msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run
time: 0m 0s)'
inputname: imjournal rawmsg: '#012#012End timestamp: 2023-01-06 14:06:02
+0000 (run time: 0m 0s)'
$!:{ "_TRANSPORT": "syslog", "_UID": "0", "_GID": "0", "_MACHINE_ID":
"a64ab243d93144128694b0be9d05ae60", "_HOSTNAME": "mcox-acs-test",
"PRIORITY": "5", "SYSLOG_IDENTIFIER": "aide", "_SELINUX_CONTEXT":
"unconfined_u:unconfined_r:unconfi
ned_t:s0-s0:c0.c1023", "SYSLOG_FACILITY": "4", "_BOOT_ID":
"0a5c2493ccf347c19745d8eaf473e003", "_PID": "2987", "MESSAGE": "\n\nEnd
timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)",
"_SOURCE_REALTIME_TIMESTAMP": "1673013962145150"
}
$.:
$/:
This led to the #012 appearing in the remote server
Jan 6 13:59:53 test aide[2953]: #012#012End timestamp: 2023-01-06
13:59:53 +0000 (run time: 0m 0s)
Is there an other option to change the output but just for this
application (i'm worried about the effect on other logs if I enable
SpaceLFOnReceive globally.
Thanks for you help so far - much appreciated
On 05/01/2023 17:17, David Lang wrote:
No, that is a universal parser directive.
One thing that's confusing about rsyslog configs is that there are two
types of things that are in the config
1. things processed at startup to configure rsyslog
2. things processed per message to manipulate that message
it doesn't matter where in the config you put the startup items, they
all get processed at startup time.
by the time you are processing the message, directives like this one
have or have not already had their effect (they are things that happen
as the message is being parsed, before you know anything about it)
can you give us an example of a message that you are having problems
with? Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template
David Lang
On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:
Date: Thu, 5 Jan 2023 17:07:57 +0000
From: Morgan Cox via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Morgan Cox <m....@compassplus.com>
Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for
one
$programname - issue is SpaceLFOnReceive applies regardless of
$programname
Hi.
Wondering if anyone can help
I forward all syslog messages (linux) using (syslog server ip has
been removed.)
if $fromhost-ip == '127.0.0.1' then @syslogserverip:514
And this works.
However, I am trying to send Aide check output via syslog using
systemd-cat
I have an issue with spacing, etc (i.e I see #012 all over the output
on remote server)
The solution is to use
$SpaceLFOnReceive on
This fixes the #012 issue.
However I didn't want to set this globally so I have created if
statements in rsyslog conf
e.g
if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
@syslogserverip:514
}
if $programname == 'aide' then {
$SpaceLFOnReceive on
@syslogserverip:514
}
The if statement works - apart from the $SpaceLFOnReceive on part
e.g if I enable $SpaceLFOnReceive on in the 2nd if statement it
applies to anything
i.e I have tested replacing $programname with sshd in both if
statements but $SpaceLFOnReceive on is enabled if I use any service.
If there a way to make $SpaceLFOnReceive apply to just a specified
$programname ?
Thanks
--
Sincerely yours,
/Morgan Cox/
/System Administrator/
+44 115 753 0120
m....@compassplus.com <mailto:m....@compassplus.com>
------------------------------------------------------------------------
compassplus <http://www.compassplus.com/>*NOTTINGHAM, UNITED KINGDOM*
+44 115 753 0120| +44 115 986 4140(fax)
Follow
us<https://www.linkedin.com/company/compass-plus><https://twitter.com/Compass_Plus><http://www.facebook.com/compassplus>
------------------------------------------------------------------------
This e-mail is intended only for the person to whom it is addressed
and/or otherwise authorized personnel. The information contained herein
and attached is confidential and the property of Compass Plus. If you
are not the intended recipient, please be advised that viewing this
message and any attachments, as well as copying, forwarding, printing,
and disseminating any information related to this e-mail is prohibited,
and that you should not take any action based on the content of this
e-mail and/or its attachments. If you received this message in error,
please contact the sender and destroy all copies of this e-mail and any
attachment. Please note that the views and opinions expressed herein
(except attached document with reasonable legal status) are solely those
of the author and do not necessarily reflect those of the company. While
antivirus protection tools have been employed, you should check this
e-mail and attachments for the presence of viruses. No warranties or
assurances are made in relation to the safety and content of this e-mail
and attachments. Compass Plus accept no liability for any damage caused
by any virus transmitted by or contained in this e-mail and attachments.
No liability is accepted for any consequences arising from this e-mail.
------------------------------------------------------------------------
© Compass Plus (Great Britain) Limited, 2005-2022, Confidential, v1.04
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
