My Requirement:
Currently receiving from multiple device types to 514/UDP on a Linux server
running rsyslog 8.42.0.
For one type of origin it produces two types of logs in the same syslog
stream that we want to
separate on the basis of the a substring - which appears to be the appname
field. When we
separate them we want:-
1. The first to be moved to /xxx/yyy/AMP_Local/%HOSTNAME%/messages, to be
slightly reformatted as per:-
From:
2020-03-19T11:42:41+08:00 <IPAddr> AMP_Local: Info: Blah Blah
To:
2020-03-19T11:42:41+08:00 <IPAddr> Mar 19 11:42:41 AMP_Local: Info:
Blah Blah
ie. incorp "<Mmm> <Dd>
2. The other to be moved to /xxx/yyy/mail_log/%HOSTNAME%/messages - and
original log format and content be retained.
Example:
2020-03-19T11:43:05+08:00 <IPAddr> mail_log: Info: Blah Blah
I have tried to find documentation that covers an equivalent requirement,
but the examples I have seen
don't seem to tie it together. The following may suggest - in very like
very incorrect form - what I am trying to
do:-
$template mailfmt,"%hostname% %msg%\n"
$template mailfile="/xxx/yyy/mail_log/%HOSTNAME%/messages"
:msg, contains, " mail_log: " ?mailfile;mailfmt
$template ampfmt,"%hostname% %msg%\n"
$template ampfile="/xxx/yyy/AMP_Local/%HOSTNAME%/messages"
:msg, contains, " AMP_Local: " ?ampfile;ampfmt
You can see it is a mixed up selection of syntax - and it hasn't worked -
but I need something to do that
job - quite desperately.
I have even tried to script the log handling post-arrival - but it is just
too complex and unweildly.
I want insights into these key areas of requirement that can be tied
together.
Can anyone help me on this . I would really appreciate it.
regards,
Simon
--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Currently receiving from multiple device types to 514/UDP on a Linux server
running rsyslog 8.42.0.
For one type of origin it produces two types of logs in the same syslog
stream that we want to
separate on the basis of the a substring - which appears to be the appname
field. When we
separate them we want:-
1. The first to be moved to /xxx/yyy/AMP_Local/%HOSTNAME%/messages, to be
slightly reformatted as per:-
From:
2020-03-19T11:42:41+08:00 <IPAddr> AMP_Local: Info: Blah Blah
To:
2020-03-19T11:42:41+08:00 <IPAddr> Mar 19 11:42:41 AMP_Local: Info:
Blah Blah
ie. incorp "<Mmm> <Dd>
2. The other to be moved to /xxx/yyy/mail_log/%HOSTNAME%/messages - and
original log format and content be retained.
Example:
2020-03-19T11:43:05+08:00 <IPAddr> mail_log: Info: Blah Blah
I have tried to find documentation that covers an equivalent requirement,
but the examples I have seen
don't seem to tie it together. The following may suggest - in very like
very incorrect form - what I am trying to
do:-
$template mailfmt,"%hostname% %msg%\n"
$template mailfile="/xxx/yyy/mail_log/%HOSTNAME%/messages"
:msg, contains, " mail_log: " ?mailfile;mailfmt
$template ampfmt,"%hostname% %msg%\n"
$template ampfile="/xxx/yyy/AMP_Local/%HOSTNAME%/messages"
:msg, contains, " AMP_Local: " ?ampfile;ampfmt
You can see it is a mixed up selection of syntax - and it hasn't worked -
but I need something to do that
job - quite desperately.
I have even tried to script the log handling post-arrival - but it is just
too complex and unweildly.
I want insights into these key areas of requirement that can be tied
together.
Can anyone help me on this . I would really appreciate it.
regards,
Simon
--
Sent from: http://rsyslog-users.1305293.n2.nabble.com/
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.