Im not sure I understood properly.
imfile has a mandatory tag required. but apart from that, the line contains
a "static" string "*queries*"
Which *property* would be "*queries*" when processing the line...or is it
impossible?
01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640
(e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
A +E(0)D (192.168.2.254)
On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:
> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
> say that this behaviour is expected. $programname is the "static" part
> of tag. The tag is *dns-query*. So...
>
> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> > Hi.
> >
> > Which *property* would be "*queries*" when processing the following line?
> >
> > 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> > 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
> > e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >
> > AFAIK, *programname*, but with the following configuration it returns
> > *dns-query* :(
> >
> > module(load="imfile")
> > template(name="json" type="list" option.json="on") {
> > constant(value="{")
> > constant(value="\"@source_timestamp\":\"")
> > property(name="timereported" dateFormat="rfc3339")
> > constant(value="\",\"source_message\":\"")
> > property(name="msg")
> > constant(value="\",\"source_hostname\":\"")
> > property(name="hostname")
> > constant(value="\",\"source_severity\":\"")
> > property(name="syslogseverity-text")
> > constant(value="\",\"source_facility\":\"")
> > property(name="syslogfacility-text")
> > constant(value="\",\"source_tag\":\"")
> > property(name="syslogtag")
> > constant(value="\",\"source_app\":\"")
> > property(name="*programname*")
> > constant(value="\",\"source_filename\":\"")
> > property(name="$.filename")
> > constant(value="\"}\n")
> > }
> > input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
> tag="
> > *dns-query*" ruleset="syslog")
> > ruleset(name="syslog") {
> > set $.filename = $!metadata!filename;
> > action(type="omfwd" target="myserver" port="514" protocol="udp"
> > template="json")
> > }
> >
> > Thanks a lot for your help
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
