> Also, I don't think the '*' character is valid in the syslogtag
Im not using "*", im just setting it *BOLD*, but your mail client doesnt
like it ;)
On Wed, Mar 1, 2023 at 2:07 PM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:
> Also, I don't think the '*' character is valid in the syslogtag, so I
> think it
> would put that into the msg field as well
>
> If you are ever wondering how rsyslog has parsed a message, log it with
> the
> built-in template RSYSLOG_DebugFormat and it will give you lots of the
> gory
> details.
>
> David Lang
>
> On Wed, 1 Mar 2023, John Chivian via rsyslog wrote:
>
> > Unless explicitly instructed to parse syslog header elements out of an
> imfile source, the entire imfile content is contained in the “msg”
> property. That is to say rsyslog will construct the standard syslog
> header elements and then append the line from the file as the msg property.
> >
> > Regards
> >
> >
> >> On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
> >>
> >> As my colleague used to say - try and see. Define logging action with
> RSYSLOG_DebugFormat template and see what your properties are.*
> >> *
> >>
> >> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> >>> Im not sure I understood properly.
> >>> imfile has a mandatory tag required. but apart from that, the line
> contains
> >>> a "static" string "*queries*"
> >>>
> >>> Which *property* would be "*queries*" when processing the line...or is
> it
> >>> impossible?
> >>>
> >>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>> 30.0.30.142#59640
> >>> (e8333.g.akamaiedge.net): view internal-view: query:
> e8333.g.akamaiedge.net IN
> >>> A +E(0)D (192.168.2.254)
> >>>
> >>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> >>> rsyslog@lists.adiscon.com> wrote:
> >>>
> >>>> You're explicitly telling your imfile to apply the *dns-query* tag.
> I'd
> >>>> say that this behaviour is expected. $programname is the "static" part
> >>>> of tag. The tag is *dns-query*. So...
> >>>>
> >>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>>>> Hi.
> >>>>>
> >>>>> Which *property* would be "*queries*" when processing the following
> line?
> >>>>>
> >>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view:
> query:
> >>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>>>
> >>>>> AFAIK, *programname*, but with the following configuration it returns
> >>>>> *dns-query* :(
> >>>>>
> >>>>> module(load="imfile")
> >>>>> template(name="json" type="list" option.json="on") {
> >>>>> constant(value="{")
> >>>>> constant(value="\"@source_timestamp\":\"")
> >>>>> property(name="timereported" dateFormat="rfc3339")
> >>>>> constant(value="\",\"source_message\":\"")
> >>>>> property(name="msg")
> >>>>> constant(value="\",\"source_hostname\":\"")
> >>>>> property(name="hostname")
> >>>>> constant(value="\",\"source_severity\":\"")
> >>>>> property(name="syslogseverity-text")
> >>>>> constant(value="\",\"source_facility\":\"")
> >>>>> property(name="syslogfacility-text")
> >>>>> constant(value="\",\"source_tag\":\"")
> >>>>> property(name="syslogtag")
> >>>>> constant(value="\",\"source_app\":\"")
> >>>>> property(name="*programname*")
> >>>>> constant(value="\",\"source_filename\":\"")
> >>>>> property(name="$.filename")
> >>>>> constant(value="\"}\n")
> >>>>> }
> >>>>> input(type="imfile" file="/var/log/bind/DNSquery.log"
> addMetadata="on"
> >>>> tag="
> >>>>> *dns-query*" ruleset="syslog")
> >>>>> ruleset(name="syslog") {
> >>>>> set $.filename = $!metadata!filename;
> >>>>> action(type="omfwd" target="myserver" port="514"
> protocol="udp"
> >>>>> template="json")
> >>>>> }
> >>>>>
> >>>>> Thanks a lot for your help
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
