Mailing List Archive

No, that is a universal parser directive.

One thing that's confusing about rsyslog configs is that there are two types of
things that are in the config

1. things processed at startup to configure rsyslog

2. things processed per message to manipulate that message

it doesn't matter where in the config you put the startup items, they all get
processed at startup time.

by the time you are processing the message, directives like this one have or
have not already had their effect (they are things that happen as the message is
being parsed, before you know anything about it)

can you give us an example of a message that you are having problems with?
Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template

David Lang

On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:

> Date: Thu, 5 Jan 2023 17:07:57 +0000
> From: Morgan Cox via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Morgan Cox <m.cox@compassplus.com>
> Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for one
> $programname - issue is SpaceLFOnReceive applies regardless of
> $programname
>
> Hi.
>
> Wondering if anyone can help
>
> I forward all syslog messages (linux) using (syslog server ip has been
> removed.)
>
> if $fromhost-ip == '127.0.0.1' then @syslogserverip:514
>
> And this works.
>
> However, I am trying to send Aide check output via syslog using systemd-cat
>
> I have an issue with spacing, etc (i.e I see #012 all over the output on
> remote server)
>
> The solution is to use
>
> $SpaceLFOnReceive on
>
> This fixes the #012 issue.
>
> However I didn't want to set this globally so I have created if
> statements in rsyslog conf
>
>
> e.g
>
> if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
>    @syslogserverip:514
> }
>
> if $programname == 'aide' then {
>    $SpaceLFOnReceive on
>    @syslogserverip:514
> }
>
>
> The if statement works - apart from the $SpaceLFOnReceive on part
>
> e.g if I enable $SpaceLFOnReceive on  in the 2nd if statement it applies
> to anything
>
> i.e I have tested replacing $programname with sshd in both if statements
> but $SpaceLFOnReceive on is enabled if I use any service.
>
> If there a way to make $SpaceLFOnReceive apply to just a specified
> $programname ?
>
>
> Thanks
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks for clarifying David.  I could see the if statement was otherwise
working

Here is an example debug line

Debug line with all properties:
FROMHOST: 'mcox-acs-test', fromhost-ip: '127.0.0.1', HOSTNAME:
'mcox-acs-test', PRI: 37,
syslogtag 'aide[2987]:', programname: 'aide', APP-NAME: 'aide', PROCID:
'2987', MSGID: '-',
TIMESTAMP: 'Jan  6 14:06:02', STRUCTURED-DATA: '-',
msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)'
escaped msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run
time: 0m 0s)'
inputname: imjournal rawmsg: '#012#012End timestamp: 2023-01-06 14:06:02
+0000 (run time: 0m 0s)'
$!:{ "_TRANSPORT": "syslog", "_UID": "0", "_GID": "0", "_MACHINE_ID":
"a64ab243d93144128694b0be9d05ae60", "_HOSTNAME": "mcox-acs-test",
"PRIORITY": "5", "SYSLOG_IDENTIFIER": "aide", "_SELINUX_CONTEXT":
"unconfined_u:unconfined_r:unconfi
ned_t:s0-s0:c0.c1023", "SYSLOG_FACILITY": "4", "_BOOT_ID":
"0a5c2493ccf347c19745d8eaf473e003", "_PID": "2987", "MESSAGE": "\n\nEnd
timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)",
"_SOURCE_REALTIME_TIMESTAMP": "1673013962145150"
}
$.:
$/:

This led to the #012 appearing in the remote server

Jan  6 13:59:53 test aide[2953]: #012#012End timestamp: 2023-01-06
13:59:53 +0000 (run time: 0m 0s)

Is there an other option to change the output but just for this
application (i'm worried about the effect on other logs if I enable
SpaceLFOnReceive globally.


Thanks for you help so far - much appreciated


On 05/01/2023 17:17, David Lang wrote:
> No, that is a universal parser directive.
>
> One thing that's confusing about rsyslog configs is that there are two
> types of things that are in the config
>
> 1. things processed at startup to configure rsyslog
>
> 2. things processed per message to manipulate that message
>
> it doesn't matter where in the config you put the startup items, they
> all get processed at startup time.
>
> by the time you are processing the message, directives like this one
> have or have not already had their effect (they are things that happen
> as the message is being parsed, before you know anything about it)
>
> can you give us an example of a message that you are having problems
> with? Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template
>
> David Lang
>
> On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:
>
>> Date: Thu, 5 Jan 2023 17:07:57 +0000
>> From: Morgan Cox via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: Morgan Cox <m.cox@compassplus.com>
>> Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for
>> one
>>     $programname - issue is SpaceLFOnReceive applies regardless of
>>     $programname
>>
>> Hi.
>>
>> Wondering if anyone can help
>>
>> I forward all syslog messages (linux) using (syslog server ip has
>> been removed.)
>>
>> if $fromhost-ip == '127.0.0.1' then @syslogserverip:514
>>
>> And this works.
>>
>> However, I am trying to send Aide check output via syslog using
>> systemd-cat
>>
>> I have an issue with spacing, etc (i.e I see #012 all over the output
>> on remote server)
>>
>> The solution is to use
>>
>> $SpaceLFOnReceive on
>>
>> This fixes the #012 issue.
>>
>> However I didn't want to set this globally so I have created if
>> statements in rsyslog conf
>>
>>
>> e.g
>>
>> if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
>>    @syslogserverip:514
>> }
>>
>> if $programname == 'aide' then {
>>    $SpaceLFOnReceive on
>>    @syslogserverip:514
>> }
>>
>>
>> The if statement works - apart from the $SpaceLFOnReceive on part
>>
>> e.g if I enable $SpaceLFOnReceive on  in the 2nd if statement it
>> applies to anything
>>
>> i.e I have tested replacing $programname with sshd in both if
>> statements but $SpaceLFOnReceive on is enabled if I use any service.
>>
>> If there a way to make $SpaceLFOnReceive apply to just a specified
>> $programname ?
>>
>>
>> Thanks
>>
>>
>>
--
Sincerely yours,
/Morgan Cox/
/System Administrator/
+44 115 753 0120
M.Cox@compassplus.com <mailto:m.cox@compassplus.com>

------------------------------------------------------------------------

compassplus <http://www.compassplus.com/>*NOTTINGHAM, UNITED KINGDOM*
+44 115 753 0120| +44 115 986 4140(fax)
Follow
us<https://www.linkedin.com/company/compass-plus><https://twitter.com/Compass_Plus><http://www.facebook.com/compassplus>

------------------------------------------------------------------------

This e-mail is intended only for the person to whom it is addressed
and/or otherwise authorized personnel. The information contained herein
and attached is confidential and the property of Compass Plus. If you
are not the intended recipient, please be advised that viewing this
message and any attachments, as well as copying, forwarding, printing,
and disseminating any information related to this e-mail is prohibited,
and that you should not take any action based on the content of this
e-mail and/or its attachments. If you received this message in error,
please contact the sender and destroy all copies of this e-mail and any
attachment. Please note that the views and opinions expressed herein
(except attached document with reasonable legal status) are solely those
of the author and do not necessarily reflect those of the company. While
antivirus protection tools have been employed, you should check this
e-mail and attachments for the presence of viruses. No warranties or
assurances are made in relation to the safety and content of this e-mail
and attachments. Compass Plus accept no liability for any damage caused
by any virus transmitted by or contained in this e-mail and attachments.
No liability is accepted for any consequences arising from this e-mail.

------------------------------------------------------------------------

© Compass Plus (Great Britain) Limited, 2005-2022, Confidential, v1.04


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

The problem is that these are multi-line messages (#012 is LF). This
will most probably hurt you in later log processing and may give
problem in log forwarding. Thus they are escaped. Validly formed logs
usually have no LF. If and only if the other log sources behave well,
there would be no problem with enabling that globally.

Rainer

El vie, 6 ene 2023 a las 15:11, Morgan Cox via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Thanks for clarifying David. I could see the if statement was otherwise
> working
>
> Here is an example debug line
>
> Debug line with all properties:
> FROMHOST: 'mcox-acs-test', fromhost-ip: '127.0.0.1', HOSTNAME:
> 'mcox-acs-test', PRI: 37,
> syslogtag 'aide[2987]:', programname: 'aide', APP-NAME: 'aide', PROCID:
> '2987', MSGID: '-',
> TIMESTAMP: 'Jan 6 14:06:02', STRUCTURED-DATA: '-',
> msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)'
> escaped msg: '#012#012End timestamp: 2023-01-06 14:06:02 +0000 (run
> time: 0m 0s)'
> inputname: imjournal rawmsg: '#012#012End timestamp: 2023-01-06 14:06:02
> +0000 (run time: 0m 0s)'
> $!:{ "_TRANSPORT": "syslog", "_UID": "0", "_GID": "0", "_MACHINE_ID":
> "a64ab243d93144128694b0be9d05ae60", "_HOSTNAME": "mcox-acs-test",
> "PRIORITY": "5", "SYSLOG_IDENTIFIER": "aide", "_SELINUX_CONTEXT":
> "unconfined_u:unconfined_r:unconfi
> ned_t:s0-s0:c0.c1023", "SYSLOG_FACILITY": "4", "_BOOT_ID":
> "0a5c2493ccf347c19745d8eaf473e003", "_PID": "2987", "MESSAGE": "\n\nEnd
> timestamp: 2023-01-06 14:06:02 +0000 (run time: 0m 0s)",
> "_SOURCE_REALTIME_TIMESTAMP": "1673013962145150"
> }
> $.:
> $/:
>
> This led to the #012 appearing in the remote server
>
> Jan 6 13:59:53 test aide[2953]: #012#012End timestamp: 2023-01-06
> 13:59:53 +0000 (run time: 0m 0s)
>
> Is there an other option to change the output but just for this
> application (i'm worried about the effect on other logs if I enable
> SpaceLFOnReceive globally.
>
>
> Thanks for you help so far - much appreciated
>
>
> On 05/01/2023 17:17, David Lang wrote:
> > No, that is a universal parser directive.
> >
> > One thing that's confusing about rsyslog configs is that there are two
> > types of things that are in the config
> >
> > 1. things processed at startup to configure rsyslog
> >
> > 2. things processed per message to manipulate that message
> >
> > it doesn't matter where in the config you put the startup items, they
> > all get processed at startup time.
> >
> > by the time you are processing the message, directives like this one
> > have or have not already had their effect (they are things that happen
> > as the message is being parsed, before you know anything about it)
> >
> > can you give us an example of a message that you are having problems
> > with? Ideally the rawmsg as shown by the RSYSLOG_DebugFormat template
> >
> > David Lang
> >
> > On Thu, 5 Jan 2023, Morgan Cox via rsyslog wrote:
> >
> >> Date: Thu, 5 Jan 2023 17:07:57 +0000
> >> From: Morgan Cox via rsyslog <rsyslog@lists.adiscon.com>
> >> To: rsyslog@lists.adiscon.com
> >> Cc: Morgan Cox <m.cox@compassplus.com>
> >> Subject: [rsyslog] $SpaceLFOnReceive - how to use in if statement for
> >> one
> >> $programname - issue is SpaceLFOnReceive applies regardless of
> >> $programname
> >>
> >> Hi.
> >>
> >> Wondering if anyone can help
> >>
> >> I forward all syslog messages (linux) using (syslog server ip has
> >> been removed.)
> >>
> >> if $fromhost-ip == '127.0.0.1' then @syslogserverip:514
> >>
> >> And this works.
> >>
> >> However, I am trying to send Aide check output via syslog using
> >> systemd-cat
> >>
> >> I have an issue with spacing, etc (i.e I see #012 all over the output
> >> on remote server)
> >>
> >> The solution is to use
> >>
> >> $SpaceLFOnReceive on
> >>
> >> This fixes the #012 issue.
> >>
> >> However I didn't want to set this globally so I have created if
> >> statements in rsyslog conf
> >>
> >>
> >> e.g
> >>
> >> if $fromhost-ip == '127.0.0.1' and $programname != 'aide' then {
> >> @syslogserverip:514
> >> }
> >>
> >> if $programname == 'aide' then {
> >> $SpaceLFOnReceive on
> >> @syslogserverip:514
> >> }
> >>
> >>
> >> The if statement works - apart from the $SpaceLFOnReceive on part
> >>
> >> e.g if I enable $SpaceLFOnReceive on in the 2nd if statement it
> >> applies to anything
> >>
> >> i.e I have tested replacing $programname with sshd in both if
> >> statements but $SpaceLFOnReceive on is enabled if I use any service.
> >>
> >> If there a way to make $SpaceLFOnReceive apply to just a specified
> >> $programname ?
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> --
> Sincerely yours,
> /Morgan Cox/
> /System Administrator/
> +44 115 753 0120
> M.Cox@compassplus.com <mailto:m.cox@compassplus.com>
>
> ------------------------------------------------------------------------
>
> compassplus <http://www.compassplus.com/>*NOTTINGHAM, UNITED KINGDOM*
> +44 115 753 0120| +44 115 986 4140(fax)
> Follow
> us<https://www.linkedin.com/company/compass-plus><https://twitter.com/Compass_Plus><http://www.facebook.com/compassplus>
>
> ------------------------------------------------------------------------
>
> This e-mail is intended only for the person to whom it is addressed
> and/or otherwise authorized personnel. The information contained herein
> and attached is confidential and the property of Compass Plus. If you
> are not the intended recipient, please be advised that viewing this
> message and any attachments, as well as copying, forwarding, printing,
> and disseminating any information related to this e-mail is prohibited,
> and that you should not take any action based on the content of this
> e-mail and/or its attachments. If you received this message in error,
> please contact the sender and destroy all copies of this e-mail and any
> attachment. Please note that the views and opinions expressed herein
> (except attached document with reasonable legal status) are solely those
> of the author and do not necessarily reflect those of the company. While
> antivirus protection tools have been employed, you should check this
> e-mail and attachments for the presence of viruses. No warranties or
> assurances are made in relation to the safety and content of this e-mail
> and attachments. Compass Plus accept no liability for any damage caused
> by any virus transmitted by or contained in this e-mail and attachments.
> No liability is accepted for any consequences arising from this e-mail.
>
> ------------------------------------------------------------------------
>
> © Compass Plus (Great Britain) Limited, 2005-2022, Confidential, v1.04
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.