I'll take 'A big note saying "TEMPLATES ARE FOR OUTPUT ONLY"' for 10 points please.
On Wed, Oct 11, 2023, 21:06 David Lang via rsyslog < [email protected]> wrote: > P.S. this confusion of templates being useful for parsing messages seems > to be a > common one, any suggestions on what we should put in the documentation to > make > clear that they are for output only, not for parsing messages? > > David Lang > > On Wed, 11 Oct 2023, Gundlapally, Navanitha via rsyslog wrote: > > > Date: Wed, 11 Oct 2023 13:20:57 +0000 > > From: "Gundlapally, Navanitha via rsyslog" <[email protected]> > > To: "[email protected]" <[email protected]> > > Cc: "Gundlapally, Navanitha" <[email protected]> > > Subject: [rsyslog] Need help with Rsyslog Parser > > > > Hi Team, > > > > I am new to this community and hoping to get some help with my below > query. > > > > We are collecting some network logs from client devices to a Syslog > collector (A) which is managed by Vendor and the next hop is on the syslog > collector (B) managed by us. On Collector B, I see the events are getting > parsed with the IP of Collector A, meaning I am not seeing the actual > device IP on my collector instead it shows Collector A IP address as sender > IP. How / What config changes I need to make on my collector B > rsyslog.conf file to see the actual client device IP/Hostname (using the > syslog header) ? > > > > I tried writing some template to extract hostname from the event as > below but it is not working and I do not see any errors aswel when I run > rsyslogd -N1. > > > > template(name="LB_dynaFile" type="string" > string="/var/log/syslog/LB/%!extracted_LB_hostname%/%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log") > > template(name="LB_host_extraction" type="string" > string="%msg:R,ERE,1,ZERO:\"GMT(.+) 0-PPE-0\"--end%") > > > > if $rawmsg contains "IB*******2-m**i" then { > > reset $!extracted_LB_hostname = exec_template("LB_host_extraction"); > > action(type="omfwd" target="1xx.1x.0.1x:1xx0" protocol="tcp" > template="RSYSLOG_SyslogProtocol23Format") > > action(type="omfile" dynaFile="LB_dynaFile" > template="RSYSLOG_SyslogProtocol23Format") > > } > > > > PS - I tested regex on rsyslog regex tester and it is working. > > > > Sample event > > > > <134>1 2023-10-10T18:22:07.569574+00:00 10.194.237.27 - - - - > 10/10/2023:18:21:58 GMT IB*******2-m**i 0-PPE-0 : default TCP > CONN_TERMINATE 287440514 0 : Source 1x.1xx.0.1xx:80 - Destination > 1x.1xx.1xx.1x:3xxx7 - Start Time 10/10/2023:18:21:16 GMT - End Time > 10/10/2023:18:21:58 GMT - Total_bytes_send 1 - Total_bytes_recv 1 > > > > > > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. > If the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by > e-mail and delete the message and any attachments from your system. > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
