You got it ! It does not like rules setting, switching to external file
with rulebase works... Probably a too old version.
It also does not seems to be able to set path, to nest new properties,
but this is not really important.
Thanks a lot for your help !
Btw, do you have any suggestion about how to re-compose date-time object
from the individual fields, I'd like to hear from you
On 5/22/24 00:38, David Lang wrote:
if you do rsyslogd -N1 does it complain about anything?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:32:25 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
Message if being parsed to JSON object with all fields I have in rule
(e.g: year or dsd-message)... So I guess parsing works, it is just
not run by my configuration file
On May 22, 2024 12:30:19 AM GMT+02:00, David Lang <da...@lang.hm> wrote:
if you post that exact text into your liblognorm test, what do you get?
David Lang
On Wed, 22 May 2024, Adam Cecile via rsyslog wrote:
Date: Wed, 22 May 2024 00:24:08 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
No ;-)
Debug line with all properties:
FROMHOST: '', fromhost-ip: '', HOSTNAME: 'gz-tuma', PRI: 133,
syslogtag 'trace.log', programname: 'trace.log', APP-NAME:
'trace.log', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 21 23:56:46', STRUCTURED-DATA: '-',
msg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
escaped msg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
inputname: imfile rawmsg: '[21/05/2024 23:56:37] [pcc->cct] 00100t7cc'
$!:{ "metadata": { "filename": "<redacted>", "fileoffset":
"3396674" } }
$.:{ "pcc": "t7" }
$/:
On 5/22/24 00:20, David Lang wrote:
if you look at the msg field in the RSYSLOG_DebugFormat output,
you will see that it does have a leading space. your pattern doesn't
David Lang
On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:
Date: Tue, 21 May 2024 23:58:23 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: Re: [rsyslog] Unable to re-use variable generated by
mmnormalize
Just tried, no leading space, message is correct however the log
does not contains any trace indicating mmnormalize has tried to
do something.
I guess it is just NOT active for some reason...
On 5/21/24 23:50, David Lang wrote:
log the message with RSYSLOG_DebugFormat so that you can see the
variables that exist.
my guess is that your rule needs a leading space, because the
msg field you are parsing starts with a space (a very common
problem when you are starting to use mmnormalize)
David Lang
On Tue, 21 May 2024, Adam Cecile via rsyslog wrote:
Date: Tue, 21 May 2024 23:37:14 +0200
From: Adam Cecile via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: Adam Cecile <acec...@letz-it.lu>
Subject: [rsyslog] Unable to re-use variable generated by
mmnormalize
Hello,
I'm struggling to understand how to use mmnormalize module. My
configuration snippet is the following:
template(name="recordRfc3164FileOutput" type="list") {
property(name="timestamp" dateFormat="rfc3164")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="$.pcc")
constant(value="@")
property(name="syslogtag")
constant(value=":")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
ruleset(
name="extractPccNameFromRecordLog"
)
{
set
$.pcc=re_extract($!metadata!filename,"/record_([a-z0-9]{2})/",0,1,"UNMATCHED_PCC");
action(
type="mmnormalize"
rule=["rule=:[%day:number%/%month:number%/%year:number%
%hour:number%:%minutes:number%:%seconds:number%]
[%dsd-src:string-to:->%->%dsd-dst:char-to:]%] %dsd-message:rest%"]
useRawMsg="off"
)
action(
type="omfile"
dirCreateMode="0755"
FileCreateMode="0644"
File="/var/log/record.log"
template="recordRfc3164FileOutput"
)
}
input(
type="imfile"
file="/path/to/record_*/*.log"
tag="trace.log"
addmetadata="on"
ruleset="extractPccNameFromRecordLog"
)
Extraction of pattern from imfile filepath is working fine,
mmnormalize rule is working fine too, according to my test
using "lognormalizer" command line tool to test it.
So I guessed, I could be able to replace property(name="msg")
with property(name="$.dsd-message") or
property(name="$!dsd-message") but all I get is an empty string.
Is there something I missed ?
Thanks in advance,
Regards, Adam.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
