Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

Adding PROGRAMNAME to structured syslog messages

  

 
RSyslog users RSS feed   Index | Next | Previous | View Threaded


carlopmart at gmail

Jun 4, 2012, 2:42 AM

Post #1 of 9 (202 views)
Permalink
Adding PROGRAMNAME to structured syslog messages
Hi all,

I am trying to add %PROGRAMNAME% flag to some logs received from
different devices sended in structured syslog format. I have tried to
create a template to accomplish this, but it doesn't works. Is it
possible to do this?? Trying with syslog-ng, works but I didn't found
how to do this with rsyslog.

Thanks.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Jun 4, 2012, 3:02 AM

Post #2 of 9 (194 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
what is the template that you tried, what did you expect to get and what
did you get instead.

It should be very straightforward to do what you are asking for (If I
understand it right), but more details would help identify the problem.

David Lang

On Mon, 4 Jun 2012, C. L. Martinez wrote:

> Hi all,
>
> I am trying to add %PROGRAMNAME% flag to some logs received from
> different devices sended in structured syslog format. I have tried to
> create a template to accomplish this, but it doesn't works. Is it
> possible to do this?? Trying with syslog-ng, works but I didn't found
> how to do this with rsyslog.
>
> Thanks.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


carlopmart at gmail

Jun 4, 2012, 3:04 AM

Post #3 of 9 (191 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Mon, Jun 4, 2012 at 12:02 PM, <david [at] lang> wrote:
> what is the template that you tried, what did you expect to get and what did
> you get instead.
>
> It should be very straightforward to do what you are asking for (If I
> understand it right), but more details would help identify the problem.
>
> David Lang
>
>

I have tried this:

$template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
%STRUCTURED-DATA% %msg%\n"
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


carlopmart at gmail

Jun 4, 2012, 5:56 AM

Post #4 of 9 (184 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Mon, Jun 4, 2012 at 12:04 PM, C. L. Martinez <carlopmart [at] gmail> wrote:
> On Mon, Jun 4, 2012 at 12:02 PM,  <david [at] lang> wrote:
>> what is the template that you tried, what did you expect to get and what did
>> you get instead.
>>
>> It should be very straightforward to do what you are asking for (If I
>> understand it right), but more details would help identify the problem.
>>
>> David Lang
>>
>>
>
> I have tried this:
>
> $template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
> %STRUCTURED-DATA% %msg%\n"

Any help??
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Jun 4, 2012, 4:37 PM

Post #5 of 9 (189 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Mon, 4 Jun 2012, C. L. Martinez wrote:

> On Mon, Jun 4, 2012 at 12:04 PM, C. L. Martinez <carlopmart [at] gmail> wrote:
>> On Mon, Jun 4, 2012 at 12:02 PM,  <david [at] lang> wrote:
>>> what is the template that you tried, what did you expect to get and what did
>>> you get instead.
>>>
>>> It should be very straightforward to do what you are asking for (If I
>>> understand it right), but more details would help identify the problem.
>>>
>>> David Lang
>>>
>>>
>>
>> I have tried this:
>>
>> $template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
>> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
>> %STRUCTURED-DATA% %msg%\n"
>
> Any help??

give people time to respone :-)

what do you get from this, and what are you expecting to get from this?

what version of rsyslog are you running?

you may want to try PROGRAMNAME instead of APP-NAME depending on what your
log source is.

David Lang


carlopmart at gmail

Jun 4, 2012, 10:49 PM

Post #6 of 9 (188 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Tue, Jun 5, 2012 at 1:37 AM, <david [at] lang> wrote:
> On Mon, 4 Jun 2012, C. L. Martinez wrote:
>
>> On Mon, Jun 4, 2012 at 12:04 PM, C. L. Martinez <carlopmart [at] gmail>
>> wrote:
>>>
>>> On Mon, Jun 4, 2012 at 12:02 PM,  <david [at] lang> wrote:
>>>>
>>>> what is the template that you tried, what did you expect to get and what
>>>> did
>>>> you get instead.
>>>>
>>>> It should be very straightforward to do what you are asking for (If I
>>>> understand it right), but more details would help identify the problem.
>>>>
>>>> David Lang
>>>>
>>>>
>>>
>>> I have tried this:
>>>
>>> $template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
>>> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
>>> %STRUCTURED-DATA% %msg%\n"
>>
>>
>> Any help??
>
>
> give people time to respone :-)
>
> what do you get from this, and what are you expecting to get from this?
>
> what version of rsyslog are you running?
>
> you may want to try PROGRAMNAME instead of APP-NAME depending on what your
> log source is.
>

I am trying to correlate logs from a JunOS device receiving logs in
structured format. Because JunOS doesn't sends programname in logs
(and app-name shows me an empty field), I would like to assign a
programname before rsyslog sends JunOS logs to a central
syslog-ng/ossec server.

I am using rsyslog 4.x in a CentOS6 host ...

Thanks.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Jun 4, 2012, 11:04 PM

Post #7 of 9 (193 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Tue, 5 Jun 2012, C. L. Martinez wrote:

> On Tue, Jun 5, 2012 at 1:37 AM, <david [at] lang> wrote:
>> On Mon, 4 Jun 2012, C. L. Martinez wrote:
>>
>>> On Mon, Jun 4, 2012 at 12:04 PM, C. L. Martinez <carlopmart [at] gmail>
>>> wrote:
>>>>
>>>> On Mon, Jun 4, 2012 at 12:02 PM,  <david [at] lang> wrote:
>>>>>
>>>>> what is the template that you tried, what did you expect to get and what
>>>>> did
>>>>> you get instead.
>>>>>
>>>>> It should be very straightforward to do what you are asking for (If I
>>>>> understand it right), but more details would help identify the problem.
>>>>>
>>>>> David Lang
>>>>>
>>>>>
>>>>
>>>> I have tried this:
>>>>
>>>> $template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
>>>> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
>>>> %STRUCTURED-DATA% %msg%\n"
>>>
>>>
>>> Any help??
>>
>>
>> give people time to respone :-)
>>
>> what do you get from this, and what are you expecting to get from this?
>>
>> what version of rsyslog are you running?
>>
>> you may want to try PROGRAMNAME instead of APP-NAME depending on what your
>> log source is.
>>
>
> I am trying to correlate logs from a JunOS device receiving logs in
> structured format. Because JunOS doesn't sends programname in logs
> (and app-name shows me an empty field), I would like to assign a
> programname before rsyslog sends JunOS logs to a central
> syslog-ng/ossec server.
>
> I am using rsyslog 4.x in a CentOS6 host ...

first off rsyslog 4.x is very old, you should upgrade to at least 5.x, if
not 6.x. There is a lot of new stuff related to structured logging in 6.3

back to your problem.

if you log something with the format RSYSLOG_Debug, you will see all the
fields that your version of rsyslog is decoding.

David Lang


carlopmart at gmail

Jun 6, 2012, 9:24 AM

Post #8 of 9 (177 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On 06/05/2012 08:04 AM, david [at] lang wrote:
> On Tue, 5 Jun 2012, C. L. Martinez wrote:
>
>> On Tue, Jun 5, 2012 at 1:37 AM, <david [at] lang> wrote:
>>> On Mon, 4 Jun 2012, C. L. Martinez wrote:
>>>
>>>> On Mon, Jun 4, 2012 at 12:04 PM, C. L. Martinez <carlopmart [at] gmail>
>>>> wrote:
>>>>>
>>>>> On Mon, Jun 4, 2012 at 12:02 PM, <david [at] lang> wrote:
>>>>>>
>>>>>> what is the template that you tried, what did you expect to get
>>>>>> and what
>>>>>> did
>>>>>> you get instead.
>>>>>>
>>>>>> It should be very straightforward to do what you are asking for (If I
>>>>>> understand it right), but more details would help identify the
>>>>>> problem.
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>>
>>>>>
>>>>> I have tried this:
>>>>>
>>>>> $template rfc5424fmt,"PROGRAM: my_logs <%PRI%>1
>>>>> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
>>>>> %STRUCTURED-DATA% %msg%\n"
>>>>
>>>>
>>>> Any help??
>>>
>>>
>>> give people time to respone :-)
>>>
>>> what do you get from this, and what are you expecting to get from this?
>>>
>>> what version of rsyslog are you running?
>>>
>>> you may want to try PROGRAMNAME instead of APP-NAME depending on what
>>> your
>>> log source is.
>>>
>>
>> I am trying to correlate logs from a JunOS device receiving logs in
>> structured format. Because JunOS doesn't sends programname in logs
>> (and app-name shows me an empty field), I would like to assign a
>> programname before rsyslog sends JunOS logs to a central
>> syslog-ng/ossec server.
>>
>> I am using rsyslog 4.x in a CentOS6 host ...
>
> first off rsyslog 4.x is very old, you should upgrade to at least 5.x,
> if not 6.x. There is a lot of new stuff related to structured logging in
> 6.3
>
> back to your problem.
>
> if you log something with the format RSYSLOG_Debug, you will see all the
> fields that your version of rsyslog is decoding.
>
> David Lang
>
>

Ok, using RSYSLOG_Debug solve my problems. Many thanks David.

--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


david at lang

Jun 6, 2012, 11:25 AM

Post #9 of 9 (198 views)
Permalink
Re: Adding PROGRAMNAME to structured syslog messages [In reply to]
On Wed, 6 Jun 2012, carlopmart wrote:

>> back to your problem.
>>
>> if you log something with the format RSYSLOG_Debug, you will see all the
>> fields that your version of rsyslog is decoding.
>>
>> David Lang
>>
>>
>
> Ok, using RSYSLOG_Debug solve my problems. Many thanks David.

out of curiosity, what was the problem?

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.