Mailing List Archive: syslog tag not automatically detected

syslog tag not automatically detected

rsyslog at lists

Mar 1, 2023, 4:25 AM

Post #1 of 12 (438 views)

Hi.

Which *property* would be "*queries*" when processing the following line?

01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)

AFAIK, *programname*, but with the following configuration it returns
*dns-query* :(

module(load="imfile")
template(name="json" type="list" option.json="on") {
constant(value="{")
constant(value="\"@source_timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"source_message\":\"")
property(name="msg")
constant(value="\",\"source_hostname\":\"")
property(name="hostname")
constant(value="\",\"source_severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"source_facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"source_tag\":\"")
property(name="syslogtag")
constant(value="\",\"source_app\":\"")
property(name="*programname*")
constant(value="\",\"source_filename\":\"")
property(name="$.filename")
constant(value="\"}\n")
}
input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on" tag="
*dns-query*" ruleset="syslog")
ruleset(name="syslog") {
set $.filename = $!metadata!filename;
action(type="omfwd" target="myserver" port="514" protocol="udp"
template="json")
}

Thanks a lot for your help
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 4:34 AM

Post #2 of 12 (438 views)

You're explicitly telling your imfile to apply the *dns-query* tag. I'd
say that this behaviour is expected. $programname is the "static" part
of tag. The tag is *dns-query*. So...

On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> Hi.
>
> Which *property* would be "*queries*" when processing the following line?
>
> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>
> AFAIK, *programname*, but with the following configuration it returns
> *dns-query* :(
>
> module(load="imfile")
> template(name="json" type="list" option.json="on") {
> constant(value="{")
> constant(value="\"@source_timestamp\":\"")
> property(name="timereported" dateFormat="rfc3339")
> constant(value="\",\"source_message\":\"")
> property(name="msg")
> constant(value="\",\"source_hostname\":\"")
> property(name="hostname")
> constant(value="\",\"source_severity\":\"")
> property(name="syslogseverity-text")
> constant(value="\",\"source_facility\":\"")
> property(name="syslogfacility-text")
> constant(value="\",\"source_tag\":\"")
> property(name="syslogtag")
> constant(value="\",\"source_app\":\"")
> property(name="*programname*")
> constant(value="\",\"source_filename\":\"")
> property(name="$.filename")
> constant(value="\"}\n")
> }
> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on" tag="
> *dns-query*" ruleset="syslog")
> ruleset(name="syslog") {
> set $.filename = $!metadata!filename;
> action(type="omfwd" target="myserver" port="514" protocol="udp"
> template="json")
> }
>
> Thanks a lot for your help
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 4:50 AM

Post #3 of 12 (438 views)

Im not sure I understood properly.
imfile has a mandatory tag required. but apart from that, the line contains
a "static" string "*queries*"

Which *property* would be "*queries*" when processing the line...or is it
impossible?

01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
30.0.30.142#59640
(e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
A +E(0)D (192.168.2.254)

On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
> say that this behaviour is expected. $programname is the "static" part
> of tag. The tag is *dns-query*. So...
>
> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> > Hi.
> >
> > Which *property* would be "*queries*" when processing the following line?
> >
> > 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> > 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
> > e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >
> > AFAIK, *programname*, but with the following configuration it returns
> > *dns-query* :(
> >
> > module(load="imfile")
> > template(name="json" type="list" option.json="on") {
> > constant(value="{")
> > constant(value="\"@source_timestamp\":\"")
> > property(name="timereported" dateFormat="rfc3339")
> > constant(value="\",\"source_message\":\"")
> > property(name="msg")
> > constant(value="\",\"source_hostname\":\"")
> > property(name="hostname")
> > constant(value="\",\"source_severity\":\"")
> > property(name="syslogseverity-text")
> > constant(value="\",\"source_facility\":\"")
> > property(name="syslogfacility-text")
> > constant(value="\",\"source_tag\":\"")
> > property(name="syslogtag")
> > constant(value="\",\"source_app\":\"")
> > property(name="*programname*")
> > constant(value="\",\"source_filename\":\"")
> > property(name="$.filename")
> > constant(value="\"}\n")
> > }
> > input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
> tag="
> > *dns-query*" ruleset="syslog")
> > ruleset(name="syslog") {
> > set $.filename = $!metadata!filename;
> > action(type="omfwd" target="myserver" port="514" protocol="udp"
> > template="json")
> > }
> >
> > Thanks a lot for your help
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 4:55 AM

Post #4 of 12 (438 views)

As my colleague used to say - try and see. Define logging action with
RSYSLOG_DebugFormat template and see what your properties are.*
*

On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> Im not sure I understood properly.
> imfile has a mandatory tag required. but apart from that, the line contains
> a "static" string "*queries*"
>
> Which *property* would be "*queries*" when processing the line...or is it
> impossible?
>
> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> 30.0.30.142#59640
> (e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
> A +E(0)D (192.168.2.254)
>
> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>> say that this behaviour is expected. $programname is the "static" part
>> of tag. The tag is *dns-query*. So...
>>
>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>> Hi.
>>>
>>> Which *property* would be "*queries*" when processing the following line?
>>>
>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>
>>> AFAIK, *programname*, but with the following configuration it returns
>>> *dns-query* :(
>>>
>>> module(load="imfile")
>>> template(name="json" type="list" option.json="on") {
>>> constant(value="{")
>>> constant(value="\"@source_timestamp\":\"")
>>> property(name="timereported" dateFormat="rfc3339")
>>> constant(value="\",\"source_message\":\"")
>>> property(name="msg")
>>> constant(value="\",\"source_hostname\":\"")
>>> property(name="hostname")
>>> constant(value="\",\"source_severity\":\"")
>>> property(name="syslogseverity-text")
>>> constant(value="\",\"source_facility\":\"")
>>> property(name="syslogfacility-text")
>>> constant(value="\",\"source_tag\":\"")
>>> property(name="syslogtag")
>>> constant(value="\",\"source_app\":\"")
>>> property(name="*programname*")
>>> constant(value="\",\"source_filename\":\"")
>>> property(name="$.filename")
>>> constant(value="\"}\n")
>>> }
>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>> tag="
>>> *dns-query*" ruleset="syslog")
>>> ruleset(name="syslog") {
>>> set $.filename = $!metadata!filename;
>>> action(type="omfwd" target="myserver" port="514" protocol="udp"
>>> template="json")
>>> }
>>>
>>> Thanks a lot for your help
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:05 AM

Post #5 of 12 (438 views)

Unless explicitly instructed to parse syslog header elements out of an imfile source, the entire imfile content is contained in the “msg” property. That is to say rsyslog will construct the standard syslog header elements and then append the line from the file as the msg property.

Regards

> On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> As my colleague used to say - try and see. Define logging action with RSYSLOG_DebugFormat template and see what your properties are.*
> *
>
> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>> Im not sure I understood properly.
>> imfile has a mandatory tag required. but apart from that, the line contains
>> a "static" string "*queries*"
>>
>> Which *property* would be "*queries*" when processing the line...or is it
>> impossible?
>>
>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>> 30.0.30.142#59640
>> (e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
>> A +E(0)D (192.168.2.254)
>>
>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>> rsyslog@lists.adiscon.com> wrote:
>>
>>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>>> say that this behaviour is expected. $programname is the "static" part
>>> of tag. The tag is *dns-query*. So...
>>>
>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>> Hi.
>>>>
>>>> Which *property* would be "*queries*" when processing the following line?
>>>>
>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>
>>>> AFAIK, *programname*, but with the following configuration it returns
>>>> *dns-query* :(
>>>>
>>>> module(load="imfile")
>>>> template(name="json" type="list" option.json="on") {
>>>> constant(value="{")
>>>> constant(value="\"@source_timestamp\":\"")
>>>> property(name="timereported" dateFormat="rfc3339")
>>>> constant(value="\",\"source_message\":\"")
>>>> property(name="msg")
>>>> constant(value="\",\"source_hostname\":\"")
>>>> property(name="hostname")
>>>> constant(value="\",\"source_severity\":\"")
>>>> property(name="syslogseverity-text")
>>>> constant(value="\",\"source_facility\":\"")
>>>> property(name="syslogfacility-text")
>>>> constant(value="\",\"source_tag\":\"")
>>>> property(name="syslogtag")
>>>> constant(value="\",\"source_app\":\"")
>>>> property(name="*programname*")
>>>> constant(value="\",\"source_filename\":\"")
>>>> property(name="$.filename")
>>>> constant(value="\"}\n")
>>>> }
>>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>>> tag="
>>>> *dns-query*" ruleset="syslog")
>>>> ruleset(name="syslog") {
>>>> set $.filename = $!metadata!filename;
>>>> action(type="omfwd" target="myserver" port="514" protocol="udp"
>>>> template="json")
>>>> }
>>>>
>>>> Thanks a lot for your help
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:07 AM

Post #6 of 12 (438 views)

Also, I don't think the '*' character is valid in the syslogtag, so I think it
would put that into the msg field as well

If you are ever wondering how rsyslog has parsed a message, log it with the
built-in template RSYSLOG_DebugFormat and it will give you lots of the gory
details.

David Lang

On Wed, 1 Mar 2023, John Chivian via rsyslog wrote:

> Unless explicitly instructed to parse syslog header elements out of an imfile source, the entire imfile content is contained in the “msg” property. That is to say rsyslog will construct the standard syslog header elements and then append the line from the file as the msg property.
>
> Regards
>
>
>> On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> As my colleague used to say - try and see. Define logging action with RSYSLOG_DebugFormat template and see what your properties are.*
>> *
>>
>> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>>> Im not sure I understood properly.
>>> imfile has a mandatory tag required. but apart from that, the line contains
>>> a "static" string "*queries*"
>>>
>>> Which *property* would be "*queries*" when processing the line...or is it
>>> impossible?
>>>
>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>> 30.0.30.142#59640
>>> (e8333.g.akamaiedge.net): view internal-view: query: e8333.g.akamaiedge.net IN
>>> A +E(0)D (192.168.2.254)
>>>
>>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>>> rsyslog@lists.adiscon.com> wrote:
>>>
>>>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>>>> say that this behaviour is expected. $programname is the "static" part
>>>> of tag. The tag is *dns-query*. So...
>>>>
>>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>>> Hi.
>>>>>
>>>>> Which *property* would be "*queries*" when processing the following line?
>>>>>
>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>>
>>>>> AFAIK, *programname*, but with the following configuration it returns
>>>>> *dns-query* :(
>>>>>
>>>>> module(load="imfile")
>>>>> template(name="json" type="list" option.json="on") {
>>>>> constant(value="{")
>>>>> constant(value="\"@source_timestamp\":\"")
>>>>> property(name="timereported" dateFormat="rfc3339")
>>>>> constant(value="\",\"source_message\":\"")
>>>>> property(name="msg")
>>>>> constant(value="\",\"source_hostname\":\"")
>>>>> property(name="hostname")
>>>>> constant(value="\",\"source_severity\":\"")
>>>>> property(name="syslogseverity-text")
>>>>> constant(value="\",\"source_facility\":\"")
>>>>> property(name="syslogfacility-text")
>>>>> constant(value="\",\"source_tag\":\"")
>>>>> property(name="syslogtag")
>>>>> constant(value="\",\"source_app\":\"")
>>>>> property(name="*programname*")
>>>>> constant(value="\",\"source_filename\":\"")
>>>>> property(name="$.filename")
>>>>> constant(value="\"}\n")
>>>>> }
>>>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>>>> tag="
>>>>> *dns-query*" ruleset="syslog")
>>>>> ruleset(name="syslog") {
>>>>> set $.filename = $!metadata!filename;
>>>>> action(type="omfwd" target="myserver" port="514" protocol="udp"
>>>>> template="json")
>>>>> }
>>>>>
>>>>> Thanks a lot for your help
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:16 AM

Post #7 of 12 (438 views)

After testing what you said, it doesn't seem to exist a property which
returns "queries", and I'll be only able to parse it using something like
grok.
Did I understood right?

On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> As my colleague used to say - try and see. Define logging action with
> RSYSLOG_DebugFormat template and see what your properties are.*
> *
>
> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> > Im not sure I understood properly.
> > imfile has a mandatory tag required. but apart from that, the line
> contains
> > a "static" string "*queries*"
> >
> > Which *property* would be "*queries*" when processing the line...or is it
> > impossible?
> >
> > 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> > 30.0.30.142#59640
> > (e8333.g.akamaiedge.net): view internal-view: query:
> e8333.g.akamaiedge.net IN
> > A +E(0)D (192.168.2.254)
> >
> > On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> > rsyslog@lists.adiscon.com> wrote:
> >
> >> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
> >> say that this behaviour is expected. $programname is the "static" part
> >> of tag. The tag is *dns-query*. So...
> >>
> >> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>> Hi.
> >>>
> >>> Which *property* would be "*queries*" when processing the following
> line?
> >>>
> >>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
> >>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>
> >>> AFAIK, *programname*, but with the following configuration it returns
> >>> *dns-query* :(
> >>>
> >>> module(load="imfile")
> >>> template(name="json" type="list" option.json="on") {
> >>> constant(value="{")
> >>> constant(value="\"@source_timestamp\":\"")
> >>> property(name="timereported" dateFormat="rfc3339")
> >>> constant(value="\",\"source_message\":\"")
> >>> property(name="msg")
> >>> constant(value="\",\"source_hostname\":\"")
> >>> property(name="hostname")
> >>> constant(value="\",\"source_severity\":\"")
> >>> property(name="syslogseverity-text")
> >>> constant(value="\",\"source_facility\":\"")
> >>> property(name="syslogfacility-text")
> >>> constant(value="\",\"source_tag\":\"")
> >>> property(name="syslogtag")
> >>> constant(value="\",\"source_app\":\"")
> >>> property(name="*programname*")
> >>> constant(value="\",\"source_filename\":\"")
> >>> property(name="$.filename")
> >>> constant(value="\"}\n")
> >>> }
> >>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
> >> tag="
> >>> *dns-query*" ruleset="syslog")
> >>> ruleset(name="syslog") {
> >>> set $.filename = $!metadata!filename;
> >>> action(type="omfwd" target="myserver" port="514"
> protocol="udp"
> >>> template="json")
> >>> }
> >>>
> >>> Thanks a lot for your help
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Followhttps://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:17 AM

Post #8 of 12 (438 views)

> Also, I don't think the '*' character is valid in the syslogtag
Im not using "*", im just setting it *BOLD*, but your mail client doesnt
like it ;)

On Wed, Mar 1, 2023 at 2:07 PM David Lang via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Also, I don't think the '*' character is valid in the syslogtag, so I
> think it
> would put that into the msg field as well
>
> If you are ever wondering how rsyslog has parsed a message, log it with
> the
> built-in template RSYSLOG_DebugFormat and it will give you lots of the
> gory
> details.
>
> David Lang
>
> On Wed, 1 Mar 2023, John Chivian via rsyslog wrote:
>
> > Unless explicitly instructed to parse syslog header elements out of an
> imfile source, the entire imfile content is contained in the “msg”
> property. That is to say rsyslog will construct the standard syslog
> header elements and then append the line from the file as the msg property.
> >
> > Regards
> >
> >
> >> On Mar 1, 2023, at 06:55, Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
> >>
> >> As my colleague used to say - try and see. Define logging action with
> RSYSLOG_DebugFormat template and see what your properties are.*
> >> *
> >>
> >> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> >>> Im not sure I understood properly.
> >>> imfile has a mandatory tag required. but apart from that, the line
> contains
> >>> a "static" string "*queries*"
> >>>
> >>> Which *property* would be "*queries*" when processing the line...or is
> it
> >>> impossible?
> >>>
> >>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>> 30.0.30.142#59640
> >>> (e8333.g.akamaiedge.net): view internal-view: query:
> e8333.g.akamaiedge.net IN
> >>> A +E(0)D (192.168.2.254)
> >>>
> >>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> >>> rsyslog@lists.adiscon.com> wrote:
> >>>
> >>>> You're explicitly telling your imfile to apply the *dns-query* tag.
> I'd
> >>>> say that this behaviour is expected. $programname is the "static" part
> >>>> of tag. The tag is *dns-query*. So...
> >>>>
> >>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>>>> Hi.
> >>>>>
> >>>>> Which *property* would be "*queries*" when processing the following
> line?
> >>>>>
> >>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view:
> query:
> >>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>>>
> >>>>> AFAIK, *programname*, but with the following configuration it returns
> >>>>> *dns-query* :(
> >>>>>
> >>>>> module(load="imfile")
> >>>>> template(name="json" type="list" option.json="on") {
> >>>>> constant(value="{")
> >>>>> constant(value="\"@source_timestamp\":\"")
> >>>>> property(name="timereported" dateFormat="rfc3339")
> >>>>> constant(value="\",\"source_message\":\"")
> >>>>> property(name="msg")
> >>>>> constant(value="\",\"source_hostname\":\"")
> >>>>> property(name="hostname")
> >>>>> constant(value="\",\"source_severity\":\"")
> >>>>> property(name="syslogseverity-text")
> >>>>> constant(value="\",\"source_facility\":\"")
> >>>>> property(name="syslogfacility-text")
> >>>>> constant(value="\",\"source_tag\":\"")
> >>>>> property(name="syslogtag")
> >>>>> constant(value="\",\"source_app\":\"")
> >>>>> property(name="*programname*")
> >>>>> constant(value="\",\"source_filename\":\"")
> >>>>> property(name="$.filename")
> >>>>> constant(value="\"}\n")
> >>>>> }
> >>>>> input(type="imfile" file="/var/log/bind/DNSquery.log"
> addMetadata="on"
> >>>> tag="
> >>>>> *dns-query*" ruleset="syslog")
> >>>>> ruleset(name="syslog") {
> >>>>> set $.filename = $!metadata!filename;
> >>>>> action(type="omfwd" target="myserver" port="514"
> protocol="udp"
> >>>>> template="json")
> >>>>> }
> >>>>>
> >>>>> Thanks a lot for your help
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:21 AM

Post #9 of 12 (438 views)

that's what I'm guessing, but you should check what you are getting and attempt
to turn on the feature to have imfile parse the lines from imfile as if they
were sent as syslog messages. I say that I don't think '*' is allowed, because I
think that it's forbidden by the RFC, so rsyslog has to guess what to do and I
expect that it puts it in the msg field.

you will see this when you log with debugformat.

depending on how successful rsyslog is in parsing the log as a syslog message,
it's possible that *queries* will be the very beginning of the msg field, which
will make it very easy to detect and parse., if not, it's more work.

mmnormalize is a different beast than regex extraction that grok does, but it if
FAR more efficient, so worth the time to learn.

If you can fix the thing that's writing these messaes to not put illegal
characters in them, it will be easier.

David Lang

On Wed, 1 Mar 2023, Tan Mientras via rsyslog wrote:

> After testing what you said, it doesn't seem to exist a property which
> returns "queries", and I'll be only able to parse it using something like
> grok.
> Did I understood right?
>
> On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
>> As my colleague used to say - try and see. Define logging action with
>> RSYSLOG_DebugFormat template and see what your properties are.*
>> *
>>
>> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>>> Im not sure I understood properly.
>>> imfile has a mandatory tag required. but apart from that, the line
>> contains
>>> a "static" string "*queries*"
>>>
>>> Which *property* would be "*queries*" when processing the line...or is it
>>> impossible?
>>>
>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>> 30.0.30.142#59640
>>> (e8333.g.akamaiedge.net): view internal-view: query:
>> e8333.g.akamaiedge.net IN
>>> A +E(0)D (192.168.2.254)
>>>
>>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>>> rsyslog@lists.adiscon.com> wrote:
>>>
>>>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>>>> say that this behaviour is expected. $programname is the "static" part
>>>> of tag. The tag is *dns-query*. So...
>>>>
>>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>>> Hi.
>>>>>
>>>>> Which *property* would be "*queries*" when processing the following
>> line?
>>>>>
>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>>
>>>>> AFAIK, *programname*, but with the following configuration it returns
>>>>> *dns-query* :(
>>>>>
>>>>> module(load="imfile")
>>>>> template(name="json" type="list" option.json="on") {
>>>>> constant(value="{")
>>>>> constant(value="\"@source_timestamp\":\"")
>>>>> property(name="timereported" dateFormat="rfc3339")
>>>>> constant(value="\",\"source_message\":\"")
>>>>> property(name="msg")
>>>>> constant(value="\",\"source_hostname\":\"")
>>>>> property(name="hostname")
>>>>> constant(value="\",\"source_severity\":\"")
>>>>> property(name="syslogseverity-text")
>>>>> constant(value="\",\"source_facility\":\"")
>>>>> property(name="syslogfacility-text")
>>>>> constant(value="\",\"source_tag\":\"")
>>>>> property(name="syslogtag")
>>>>> constant(value="\",\"source_app\":\"")
>>>>> property(name="*programname*")
>>>>> constant(value="\",\"source_filename\":\"")
>>>>> property(name="$.filename")
>>>>> constant(value="\"}\n")
>>>>> }
>>>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>>>> tag="
>>>>> *dns-query*" ruleset="syslog")
>>>>> ruleset(name="syslog") {
>>>>> set $.filename = $!metadata!filename;
>>>>> action(type="omfwd" target="myserver" port="514"
>> protocol="udp"
>>>>> template="json")
>>>>> }
>>>>>
>>>>> Thanks a lot for your help
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:23 AM

Post #10 of 12 (438 views)

There is also an option for imfile called needParse
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html

Might work, might not - never used it myself. But always worth giving it
a try.

On 1.03.2023 14:21, David Lang via rsyslog wrote:
> that's what I'm guessing, but you should check what you are getting
> and attempt to turn on the feature to have imfile parse the lines from
> imfile as if they were sent as syslog messages. I say that I don't
> think '*' is allowed, because I think that it's forbidden by the RFC,
> so rsyslog has to guess what to do and I expect that it puts it in the
> msg field.
>
> you will see this when you log with debugformat.
>
> depending on how successful rsyslog is in parsing the log as a syslog
> message, it's possible that *queries* will be the very beginning of
> the msg field, which will make it very easy to detect and parse., if
> not, it's more work.
>
> mmnormalize is a different beast than regex extraction that grok does,
> but it if FAR more efficient, so worth the time to learn.
>
> If you can fix the thing that's writing these messaes to not put
> illegal characters in them, it will be easier.
>
> David Lang
>
> On Wed, 1 Mar 2023, Tan Mientras via rsyslog wrote:
>
>> After testing what you said, it doesn't seem to exist a property which
>> returns "queries", and I'll be only able to parse it using something
>> like
>> grok.
>> Did I understood right?
>>
>> On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
>> rsyslog@lists.adiscon.com> wrote:
>>
>>> As my colleague used to say - try and see. Define logging action with
>>> RSYSLOG_DebugFormat template and see what your properties are.*
>>> *
>>>
>>> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>>>> Im not sure I understood properly.
>>>> imfile has a mandatory tag required. but apart from that, the line
>>> contains
>>>> a "static" string "*queries*"
>>>>
>>>> Which *property* would be "*queries*" when processing the line...or
>>>> is it
>>>> impossible?
>>>>
>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>> 30.0.30.142#59640
>>>> (e8333.g.akamaiedge.net): view internal-view: query:
>>> e8333.g.akamaiedge.net IN
>>>> A +E(0)D (192.168.2.254)
>>>>
>>>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>>>> rsyslog@lists.adiscon.com> wrote:
>>>>
>>>>> You're explicitly telling your imfile to apply the *dns-query*
>>>>> tag. I'd
>>>>> say that this behaviour is expected. $programname is the "static"
>>>>> part
>>>>> of tag. The tag is *dns-query*. So...
>>>>>
>>>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>>>> Hi.
>>>>>>
>>>>>> Which *property* would be "*queries*" when processing the following
>>> line?
>>>>>>
>>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view:
>>>>>> query:
>>>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>>>
>>>>>> AFAIK, *programname*, but with the following configuration it
>>>>>> returns
>>>>>> *dns-query* :(
>>>>>>
>>>>>> module(load="imfile")
>>>>>> template(name="json" type="list" option.json="on") {
>>>>>>     constant(value="{")
>>>>>>     constant(value="\"@source_timestamp\":\"")
>>>>>>     property(name="timereported" dateFormat="rfc3339")
>>>>>>     constant(value="\",\"source_message\":\"")
>>>>>>     property(name="msg")
>>>>>>     constant(value="\",\"source_hostname\":\"")
>>>>>>     property(name="hostname")
>>>>>>     constant(value="\",\"source_severity\":\"")
>>>>>>     property(name="syslogseverity-text")
>>>>>>     constant(value="\",\"source_facility\":\"")
>>>>>>     property(name="syslogfacility-text")
>>>>>>     constant(value="\",\"source_tag\":\"")
>>>>>>     property(name="syslogtag")
>>>>>>     constant(value="\",\"source_app\":\"")
>>>>>>     property(name="*programname*")
>>>>>>     constant(value="\",\"source_filename\":\"")
>>>>>>     property(name="$.filename")
>>>>>>     constant(value="\"}\n")
>>>>>> }
>>>>>> input(type="imfile" file="/var/log/bind/DNSquery.log"
>>>>>> addMetadata="on"
>>>>> tag="
>>>>>> *dns-query*" ruleset="syslog")
>>>>>> ruleset(name="syslog") {
>>>>>>           set $.filename = $!metadata!filename;
>>>>>>           action(type="omfwd" target="myserver" port="514"
>>> protocol="udp"
>>>>>> template="json")
>>>>>> }
>>>>>>
>>>>>> Thanks a lot for your help
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>> you
>>>>> DON'T LIKE THAT.
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>> you
>>>>> DON'T LIKE THAT.
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:33 AM

Post #11 of 12 (438 views)

The needParse option for imfile is how you tell rsyslog to attempt to read syslog header elements out of the imfile content. If it is not used, then everything read from the file is in the “msg” property.

Regards,

> On Mar 1, 2023, at 07:23, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> There is also an option for imfile called needParse https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
>
> Might work, might not - never used it myself. But always worth giving it a try.
>
> On 1.03.2023 14:21, David Lang via rsyslog wrote:
>> that's what I'm guessing, but you should check what you are getting and attempt to turn on the feature to have imfile parse the lines from imfile as if they were sent as syslog messages. I say that I don't think '*' is allowed, because I think that it's forbidden by the RFC, so rsyslog has to guess what to do and I expect that it puts it in the msg field.
>>
>> you will see this when you log with debugformat.
>>
>> depending on how successful rsyslog is in parsing the log as a syslog message, it's possible that *queries* will be the very beginning of the msg field, which will make it very easy to detect and parse., if not, it's more work.
>>
>> mmnormalize is a different beast than regex extraction that grok does, but it if FAR more efficient, so worth the time to learn.
>>
>> If you can fix the thing that's writing these messaes to not put illegal characters in them, it will be easier.
>>
>> David Lang
>>
>> On Wed, 1 Mar 2023, Tan Mientras via rsyslog wrote:
>>
>>> After testing what you said, it doesn't seem to exist a property which
>>> returns "queries", and I'll be only able to parse it using something like
>>> grok.
>>> Did I understood right?
>>>
>>> On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
>>> rsyslog@lists.adiscon.com> wrote:
>>>
>>>> As my colleague used to say - try and see. Define logging action with
>>>> RSYSLOG_DebugFormat template and see what your properties are.*
>>>> *
>>>>
>>>> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
>>>>> Im not sure I understood properly.
>>>>> imfile has a mandatory tag required. but apart from that, the line
>>>> contains
>>>>> a "static" string "*queries*"
>>>>>
>>>>> Which *property* would be "*queries*" when processing the line...or is it
>>>>> impossible?
>>>>>
>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>>> 30.0.30.142#59640
>>>>> (e8333.g.akamaiedge.net): view internal-view: query:
>>>> e8333.g.akamaiedge.net IN
>>>>> A +E(0)D (192.168.2.254)
>>>>>
>>>>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
>>>>> rsyslog@lists.adiscon.com> wrote:
>>>>>
>>>>>> You're explicitly telling your imfile to apply the *dns-query* tag. I'd
>>>>>> say that this behaviour is expected. $programname is the "static" part
>>>>>> of tag. The tag is *dns-query*. So...
>>>>>>
>>>>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
>>>>>>> Hi.
>>>>>>>
>>>>>>> Which *property* would be "*queries*" when processing the following
>>>> line?
>>>>>>>
>>>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
>>>>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view: query:
>>>>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
>>>>>>>
>>>>>>> AFAIK, *programname*, but with the following configuration it returns
>>>>>>> *dns-query* :(
>>>>>>>
>>>>>>> module(load="imfile")
>>>>>>> template(name="json" type="list" option.json="on") {
>>>>>>> constant(value="{")
>>>>>>> constant(value="\"@source_timestamp\":\"")
>>>>>>> property(name="timereported" dateFormat="rfc3339")
>>>>>>> constant(value="\",\"source_message\":\"")
>>>>>>> property(name="msg")
>>>>>>> constant(value="\",\"source_hostname\":\"")
>>>>>>> property(name="hostname")
>>>>>>> constant(value="\",\"source_severity\":\"")
>>>>>>> property(name="syslogseverity-text")
>>>>>>> constant(value="\",\"source_facility\":\"")
>>>>>>> property(name="syslogfacility-text")
>>>>>>> constant(value="\",\"source_tag\":\"")
>>>>>>> property(name="syslogtag")
>>>>>>> constant(value="\",\"source_app\":\"")
>>>>>>> property(name="*programname*")
>>>>>>> constant(value="\",\"source_filename\":\"")
>>>>>>> property(name="$.filename")
>>>>>>> constant(value="\"}\n")
>>>>>>> }
>>>>>>> input(type="imfile" file="/var/log/bind/DNSquery.log" addMetadata="on"
>>>>>> tag="
>>>>>>> *dns-query*" ruleset="syslog")
>>>>>>> ruleset(name="syslog") {
>>>>>>> set $.filename = $!metadata!filename;
>>>>>>> action(type="omfwd" target="myserver" port="514"
>>>> protocol="udp"
>>>>>>> template="json")
>>>>>>> }
>>>>>>>
>>>>>>> Thanks a lot for your help
>>>>>>> _______________________________________________
>>>>>>> rsyslog mailing list
>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad
>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>> DON'T LIKE THAT.
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>> DON'T LIKE THAT.
>>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: syslog tag not automatically detected [ In reply to ]

rsyslog at lists

Mar 1, 2023, 5:49 AM

Post #12 of 12 (438 views)

Post the output of the debug file template.

Rainer

Sent from phone, thus brief.

John Chivian via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mi., 1.
März 2023, 14:33:

> The needParse option for imfile is how you tell rsyslog to attempt to read
> syslog header elements out of the imfile content. If it is not used, then
> everything read from the file is in the “msg” property.
>
> Regards,
>
>
> > On Mar 1, 2023, at 07:23, Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
> >
> > There is also an option for imfile called needParse
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
> >
> > Might work, might not - never used it myself. But always worth giving it
> a try.
> >
> > On 1.03.2023 14:21, David Lang via rsyslog wrote:
> >> that's what I'm guessing, but you should check what you are getting and
> attempt to turn on the feature to have imfile parse the lines from imfile
> as if they were sent as syslog messages. I say that I don't think '*' is
> allowed, because I think that it's forbidden by the RFC, so rsyslog has to
> guess what to do and I expect that it puts it in the msg field.
> >>
> >> you will see this when you log with debugformat.
> >>
> >> depending on how successful rsyslog is in parsing the log as a syslog
> message, it's possible that *queries* will be the very beginning of the msg
> field, which will make it very easy to detect and parse., if not, it's more
> work.
> >>
> >> mmnormalize is a different beast than regex extraction that grok does,
> but it if FAR more efficient, so worth the time to learn.
> >>
> >> If you can fix the thing that's writing these messaes to not put
> illegal characters in them, it will be easier.
> >>
> >> David Lang
> >>
> >> On Wed, 1 Mar 2023, Tan Mientras via rsyslog wrote:
> >>
> >>> After testing what you said, it doesn't seem to exist a property which
> >>> returns "queries", and I'll be only able to parse it using something
> like
> >>> grok.
> >>> Did I understood right?
> >>>
> >>> On Wed, Mar 1, 2023 at 1:55 PM Mariusz Kruk via rsyslog <
> >>> rsyslog@lists.adiscon.com> wrote:
> >>>
> >>>> As my colleague used to say - try and see. Define logging action with
> >>>> RSYSLOG_DebugFormat template and see what your properties are.*
> >>>> *
> >>>>
> >>>> On 1.03.2023 13:50, Tan Mientras via rsyslog wrote:
> >>>>> Im not sure I understood properly.
> >>>>> imfile has a mandatory tag required. but apart from that, the line
> >>>> contains
> >>>>> a "static" string "*queries*"
> >>>>>
> >>>>> Which *property* would be "*queries*" when processing the line...or
> is it
> >>>>> impossible?
> >>>>>
> >>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>>>> 30.0.30.142#59640
> >>>>> (e8333.g.akamaiedge.net): view internal-view: query:
> >>>> e8333.g.akamaiedge.net IN
> >>>>> A +E(0)D (192.168.2.254)
> >>>>>
> >>>>> On Wed, Mar 1, 2023 at 1:35 PM Mariusz Kruk via rsyslog <
> >>>>> rsyslog@lists.adiscon.com> wrote:
> >>>>>
> >>>>>> You're explicitly telling your imfile to apply the *dns-query* tag.
> I'd
> >>>>>> say that this behaviour is expected. $programname is the "static"
> part
> >>>>>> of tag. The tag is *dns-query*. So...
> >>>>>>
> >>>>>> On 1.03.2023 13:25, Tan Mientras via rsyslog wrote:
> >>>>>>> Hi.
> >>>>>>>
> >>>>>>> Which *property* would be "*queries*" when processing the following
> >>>> line?
> >>>>>>>
> >>>>>>> 01-Mar-2023 13:20:23.998 *queries*: info: client @0x7fb258b56d80
> >>>>>>> 30.0.30.142#59640 (e8333.g.akamaiedge.net): view internal-view:
> query:
> >>>>>>> e8333.g.akamaiedge.net IN A +E(0)D (192.168.2.254)
> >>>>>>>
> >>>>>>> AFAIK, *programname*, but with the following configuration it
> returns
> >>>>>>> *dns-query* :(
> >>>>>>>
> >>>>>>> module(load="imfile")
> >>>>>>> template(name="json" type="list" option.json="on") {
> >>>>>>> constant(value="{")
> >>>>>>> constant(value="\"@source_timestamp\":\"")
> >>>>>>> property(name="timereported" dateFormat="rfc3339")
> >>>>>>> constant(value="\",\"source_message\":\"")
> >>>>>>> property(name="msg")
> >>>>>>> constant(value="\",\"source_hostname\":\"")
> >>>>>>> property(name="hostname")
> >>>>>>> constant(value="\",\"source_severity\":\"")
> >>>>>>> property(name="syslogseverity-text")
> >>>>>>> constant(value="\",\"source_facility\":\"")
> >>>>>>> property(name="syslogfacility-text")
> >>>>>>> constant(value="\",\"source_tag\":\"")
> >>>>>>> property(name="syslogtag")
> >>>>>>> constant(value="\",\"source_app\":\"")
> >>>>>>> property(name="*programname*")
> >>>>>>> constant(value="\",\"source_filename\":\"")
> >>>>>>> property(name="$.filename")
> >>>>>>> constant(value="\"}\n")
> >>>>>>> }
> >>>>>>> input(type="imfile" file="/var/log/bind/DNSquery.log"
> addMetadata="on"
> >>>>>> tag="
> >>>>>>> *dns-query*" ruleset="syslog")
> >>>>>>> ruleset(name="syslog") {
> >>>>>>> set $.filename = $!metadata!filename;
> >>>>>>> action(type="omfwd" target="myserver" port="514"
> >>>> protocol="udp"
> >>>>>>> template="json")
> >>>>>>> }
> >>>>>>>
> >>>>>>> Thanks a lot for your help
> >>>>>>> _______________________________________________
> >>>>>>> rsyslog mailing list
> >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>> myriad
> >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> >>>>>> DON'T LIKE THAT.
> >>>>>> _______________________________________________
> >>>>>> rsyslog mailing list
> >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> >>>>>> DON'T LIKE THAT.
> >>>>>>
> >>>>> _______________________________________________
> >>>>> rsyslog mailing list
> >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Followhttps://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.