Unless explicitly instructed to parse syslog header elements out of an imfile
source, the entire imfile content is contained in the “msg” property. That is
to say rsyslog will construct the standard syslog header elements and then
append the line from the file as the msg property.
Regards
> On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog
> <rsyslog@lists.adiscon.com> wrote:
>
> As my colleague used to say - try and see. Define logging action with
> RSYSLOG_DebugFormat template and see what your properties are.*
> *
>
> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>> Im not sure I understood properly.
>> imfile has a mandatory tag required. but apart from that, the line contains
>> a "static" string "*queries*"
>>
>> Which *property* would be "*queries*" when processing the line...or is it
>> impossible?
>>
>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>> 30.0.30.142#59640
>> (e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net
>> IN
>> A +E(0)D (192.168.2.254)
>>
>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>> rsyslog@lists.adiscon.com> wrote:
>>
>>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>>> say that this behaviour is expected. $programname is the "static" part
>>> of tag. The tag is *dns-query*. So...
>>>
>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>> Hi.
>>>>
>>>> Which *property* would be "*queries*" when processing the following line?
>>>>
>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>
>>>> AFAIK, *programname*, but with the following configuration it returns
>>>> *dns-query* :(
>>>>
>>>> module(load="imfile")
>>>> template(name="json" type="list" option.json="on") {
>>>> constant(value="{")
>>>> constant(value="\"@source_timestamp\":\"")
>>>> property(name="timereported" dateFormat="rfc3339")
>>>> constant(value="\",\"source_message\":\"")
>>>> property(name="msg")
>>>> constant(value="\",\"source_hostname\":\"")
>>>> property(name="hostname")
>>>> constant(value="\",\"source_severity\":\"")
>>>> property(name="syslogseverity-text")
>>>> constant(value="\",\"source_facility\":\"")
>>>> property(name="syslogfacility-text")
>>>> constant(value="\",\"source_tag\":\"")
>>>> property(name="syslogtag")
>>>> constant(value="\",\"source_app\":\"")
>>>> property(name="*programname*")
>>>> constant(value="\",\"source_filename\":\"")
>>>> property(name="$.filename")
>>>> constant(value="\"}\n")
>>>> }
>>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>>> tag="
>>>> *dns-query*" ruleset="syslog")
>>>> ruleset(name="syslog") {
>>>> set $.filename = $!metadata!filename;
>>>> action(type="omfwd" target="myserver" port="514" protocol="udp"
>>>> template="json")
>>>> }
>>>>
>>>> Thanks a lot for your help
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
