Also, I don't think the '*' character is valid in the syslogtag, so I think it
would put that into the msg field as well
If you are ever wondering how rsyslog has parsed a message, log it with the
built-in template RSYSLOG_DebugFormat and it will give you lots of the gory
details.
David Lang
On Wed, 1 Mar 2023, John Chivian via rsyslog wrote:
Unless explicitly instructed to parse syslog header elements out of an imfile
source, the entire imfile content is contained in the “msg” property. That is
to say rsyslog will construct the standard syslog header elements and then
append the line from the file as the msg property.
Regards
On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
wrote:
As my colleague used to say - try and see. Define logging action with
RSYSLOG_DebugFormat template and see what your properties are.*
*
On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
Im not sure I understood properly.
imfile has a mandatory tag required. but apart from that, the line contains
a "static" string "*queries*"
Which *property* would be "*queries*" when processing the line...or is it
impossible?
01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640
(e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
A +E(0)D (192.168.2.254)
On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:
You're explicitly telling your imfile to apply the *dns-query* tag. I'd
say that this behaviour is expected. $programname is the "static" part
of tag. The tag is *dns-query*. So...
On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
Hi.
Which *property* would be "*queries*" when processing the following line?
01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
AFAIK, *programname*, but with the following configuration it returns
*dns-query* :(
module(load="imfile")
template(name="json" type="list" option.json="on") {
constant(value="{")
constant(value="\"@source_timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"source_message\":\"")
property(name="msg")
constant(value="\",\"source_hostname\":\"")
property(name="hostname")
constant(value="\",\"source_severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"source_facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"source_tag\":\"")
property(name="syslogtag")
constant(value="\",\"source_app\":\"")
property(name="*programname*")
constant(value="\",\"source_filename\":\"")
property(name="$.filename")
constant(value="\"}\n")
}
input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
tag="
*dns-query*" ruleset="syslog")
ruleset(name="syslog") {
set $.filename = $!metadata!filename;
action(type="omfwd" target="myserver" port="514" protocol="udp"
template="json")
}
Thanks a lot for your help
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Followhttps://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
