xfustero at gmail
May 24, 2012, 3:59 AM
Post #5 of 9
(322 views)
Permalink
|
|
Re: Replacing regular expression for particular tag
[In reply to]
|
|
HI,
Inline ...
On 23 May 2012 20:41, <david [at] lang> wrote:
> On Wed, 23 May 2012, Xavier Fustero wrote:
>
> Hi,
>>
>> On 17 May 2012 22:50, <david [at] lang> wrote:
>>
>> There are some new features in version 6 that will allow you to create
>>> your own tags (either the liblognorm stuff or the project lumberjack
>>> stuff)
>>>
>>>
>> thanks. I will check if it makes sense for us to move to version 6.
>>
>>
>>
>>
>>> you can't modify any existing tags once the log is received, but you
>>> could
>>> change the sender to put a tag in the right place so that it will get
>>> parsed by the central server as one of those tags.
>>>
>>>
>> That's exactly what I am trying to do. Creating a tag from sender. I can
>> create a template and put the text I want but I can't find through the
>> docs
>> how to extract this as a tag.
>>
>> I have something like this in my client: $template lala,"%syslogtag%
>> HOST_ID %msg%"
>>
>> My problem is I would like to parse this HOST_ID as a tag but I couldn't
>> find how so I am using a regular expression on the server to do this.
>> This
>> HOST_ID is always 01-(+7 alphanumeric characters).
>>
>> $Template Dyn_messages,
>> "/var/log/%msg:R,ERE,0,DFLT:**01\-[0-9A-Z]{7}--end%/**messages"
>>
>> and I would like to replace for something like
>>
>> $Template Dyn_messages, "/var/log/%HOST_ID%/messages"
>>
>
> right now you have two choices.
>
> 1. put the HOST_ID in place of the servername in your template so that it
> gets parsed as %hostname%
>
Correct me if I am wrong. Do you mean I should change something like (in
the client):
$template hostID,"%TIMESTAMP% *%HOSTNAME%* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n"
to
$template hostID,"%TIMESTAMP% *01-1V8IMU1* %syslogtag%
%syslogfacility-text% %syslogseverity% %msg%\n" ?
...
*.* :omrelp:127.0.0.1:20500;hostID
and then, in the server, I will be able to replace the regular expression
$Template Dyn_messages,
"/var/log//xavi/%msg:R,ERE,0,DFLT:01\-[0-9A-Z]{7}--end%/messages"
for
$Template Dyn_messages, "/var/log/xavi/%HOSTNAME%/messages" ?
I don't understand how rsyslog from server knows %HOSTNAME% is the tag I
hardcoded in the client template.
I might be missing something...
Thanks,
Xavi
> 2. use version 6 with either the project lumberjack parsing of JSON
> messages or the mmnormalize module to create custom tags.
>
>
> how many different types of tags are you talking about here? is it a
>>> handful (where you could create specific rules for each tag)? or are
>>> there
>>> a lot (where you really need to use the dynafile to create all the
>>> destination directories)
>>>
>>>
>> There will be a lot. This is a project for launching nodes in the cloud.
>>
>
> In that case, you probably want to go with the version 6.3+ stuff that
> lets you create custom tags by either parsing JSON formatted messages or
> with the mmnormalize module
>
> David Lang
>
> Thanks a lot,
>> Xavi
>>
>>
>>
>>> David Lang
>>>
>>> On Thu, 17 May 2012, Xavier Fustero wrote:
>>>
>>> Date: Thu, 17 May 2012 09:52:38 +0200
>>>
>>>> From: Xavier Fustero <xfustero [at] gmail>
>>>> Reply-To: rsyslog-users <rsyslog [at] lists>
>>>> To: rsyslog [at] lists
>>>> Subject: [rsyslog] Replacing regular expression for particular tag
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I want to ask what would be the best way to implement the following. I
>>>> have
>>>> a several nodes identified with a particular ID (e.g: 01-9291212,
>>>> 01-823HHK1). Those servers send their logs to a central rsyslog server
>>>> (RELP + stunnel). I want to create a directory entry on the server with
>>>> this ID name. Like rsyslog-server:/var/logs/01-****9291212,
>>>>
>>>> /var/logs/01-823HHK1 and so on.
>>>>
>>>> My first attempt was to create a template on the client side and add
>>>> this
>>>> ID manually
>>>>
>>>> $template ID,"%TIMESTAMP% %HOSTNAME% %syslogtag% %syslogfacility-text%
>>>> %syslogseverity-text% *ID: 01-XXXXXXX* %syslogtag% %msg%\n
>>>>
>>>> *.* :omrelp:127.0.0.1:port_number;****ID
>>>>
>>>>
>>>> On the server side, I have created a regular expression to match a
>>>> string
>>>> like 01-([0-9A-Za-a]{7} (my ID's format) and created dynamic templates
>>>> for
>>>> each particular log: messages, maillog, cron, secure, etc.
>>>>
>>>> E.g.: $Template Dyn_messages,
>>>> "/var/log/%msg:R,ERE,0,DFLT:****01\-[0-9A-Z]{7}--end%/****messages"
>>>> $template
>>>> Dyn_cron,"/var/log/%msg:R,ERE,****0,DFLT:01\-[0-9A-Z]{7}--end%**
>>>> /**cron"
>>>>
>>>> ...
>>>>
>>>> I have a sequence of if/else where depending on facilities it sends to
>>>> one
>>>> or another dynamic template. However, I would like to replace regular
>>>> expression for something like a %my_particular_tag%. I can't see the
>>>> way I
>>>> can create this particular tag. They seem to be hardcoded. I also try to
>>>> modify property names (hostname,syslogtag,etc) and replace it for a
>>>> completely new name (my ID) but I can't find how to do this.
>>>> %propname:fromChar:toChar:****options:fieldname% doesn't seem to allow
>>>>
>>>> this.
>>>>
>>>> I would like to get ridd off regular expressions. They have an impact in
>>>> performance and complicate my templates on the server side. They also
>>>> created the directory **NO MATCH** which I would like to avoid. Using
>>>> tags, templates on server side would be something like:
>>>>
>>>> $Template Dyn_messages, "/var/log/%mytag%/messages"
>>>> ...
>>>>
>>>> Does anybody know how to do this?
>>>>
>>>> Thanks in advance,
>>>> Xavi
>>>> ______________________________****_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> >
>>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>>> >
>>>>
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>
>>>> ______________________________****_________________
>>>>
>>> rsyslog mailing list
>>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog>
>>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> >
>>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/>
>>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/>
>>> >
>>>
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://twitter.com/rgerhards
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
|
