After testing what you said, it doesn't seem to exist a property which
returns "queries", and I'll be only able to parse it using something like
grok.
Did I understood right?
On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:
> As my colleague used to say - try and see. Define logging action with
> RSYSLOG_DebugFormat template and see what your properties are.*
> *
>
> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> > Im not sure I understood properly.
> > imfile has a mandatory tag required. but apart from that, the line
> contains
> > a "static" string "*queries*"
> >
> > Which *property* would be "*queries*" when processing the line...or is it
> > impossible?
> >
> > 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> > 30.0.30.142#59640
> > (e8333.g.akamaiedge.net): view internal-view: query:
> e8333.g.akamaiedge.net IN
> > A +E(0)D (192.168.2.254)
> >
> > On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> >> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
> >> say that this behaviour is expected. $programname is the "static" part
> >> of tag. The tag is *dns-query*. So...
> >>
> >> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>> Hi.
> >>>
> >>> Which *property* would be "*queries*" when processing the following
> line?
> >>>
> >>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
> >>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>
> >>> AFAIK, *programname*, but with the following configuration it returns
> >>> *dns-query* :(
> >>>
> >>> module(load="imfile")
> >>> template(name="json" type="list" option.json="on") {
> >>> constant(value="{")
> >>> constant(value="\"@source_timestamp\":\"")
> >>> property(name="timereported" dateFormat="rfc3339")
> >>> constant(value="\",\"source_message\":\"")
> >>> property(name="msg")
> >>> constant(value="\",\"source_hostname\":\"")
> >>> property(name="hostname")
> >>> constant(value="\",\"source_severity\":\"")
> >>> property(name="syslogseverity-text")
> >>> constant(value="\",\"source_facility\":\"")
> >>> property(name="syslogfacility-text")
> >>> constant(value="\",\"source_tag\":\"")
> >>> property(name="syslogtag")
> >>> constant(value="\",\"source_app\":\"")
> >>> property(name="*programname*")
> >>> constant(value="\",\"source_filename\":\"")
> >>> property(name="$.filename")
> >>> constant(value="\"}\n")
> >>> }
> >>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
> >> tag="
> >>> *dns-query*" ruleset="syslog")
> >>> ruleset(name="syslog") {
> >>> set $.filename = $!metadata!filename;
> >>> action(type="omfwd" target="myserver" port="514"
> protocol="udp"
> >>> template="json")
> >>> }
> >>>
> >>> Thanks a lot for your help
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Followhttps://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
