As my colleague used to say - try and see. Define logging action with
RSYSLOG_DebugFormat template and see what your properties are.*
*
On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
Im not sure I understood properly.
imfile has a mandatory tag required. but apart from that, the line contains
a "static" string "*queries*"
Which *property* would be "*queries*" when processing the line...or is it
impossible?
01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640
(e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
A +E(0)D (192.168.2.254)
On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:
You're explicitly telling your imfile to apply the *dns-query* tag. I'd
say that this behaviour is expected. $programname is the "static" part
of tag. The tag is *dns-query*. So...
On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
Hi.
Which *property* would be "*queries*" when processing the following line?
01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
AFAIK, *programname*, but with the following configuration it returns
*dns-query* :(
module(load="imfile")
template(name="json" type="list" option.json="on") {
constant(value="{")
constant(value="\"@source_timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"source_message\":\"")
property(name="msg")
constant(value="\",\"source_hostname\":\"")
property(name="hostname")
constant(value="\",\"source_severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"source_facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"source_tag\":\"")
property(name="syslogtag")
constant(value="\",\"source_app\":\"")
property(name="*programname*")
constant(value="\",\"source_filename\":\"")
property(name="$.filename")
constant(value="\"}\n")
}
input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
tag="
*dns-query*" ruleset="syslog")
ruleset(name="syslog") {
set $.filename = $!metadata!filename;
action(type="omfwd" target="myserver" port="514" protocol="udp"
template="json")
}
Thanks a lot for your help
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
