rgerhards at hq
Jul 30, 2012, 12:20 AM
Post #3 of 3
> -----Original Message-----
Re: Modifying the hostname format that is logged (remove subdomains)
[In reply to]
> From: rsyslog-bounces [at] lists [mailto:rsyslog-
> bounces [at] lists] On Behalf Of david [at] lang
> Sent: Monday, July 30, 2012 4:48 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Modifying the hostname format that is logged
> (remove subdomains)
> On Mon, 30 Jul 2012, shaded 4 wrote:
> > Hi,
> > We want to upgrade our syslog servers from an old sysklog version
> > to rsyslog 6.3.11.
> > I need to change the hostname format which is logged by rsyslog:
> > All of our servers have the format x.y.z.com .
> > If z is either domain1,domain2,domain3 then I need rsyslog to write
> > 'x.y' and nothing else. (i.e. strip off z.com)
> > I came up with this:
> > $template TemplateStrip,"%TIMESTAMP%
> > %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
> > $ActionFileDefaultTemplate TemplateStrip
> > i.e. it uses a regular expression to strip off the domain.com part.
> > This appears to work correctly but is this the most efficient way to
> do it,
> > or are there better ways?
> > The Property Replacer page (
> > http://www.rsyslog.com/doc/property_replacer.html) suggests regular
> > expressions can be slower than other methods,
> > but I think the other methods on that page aren't really applicable
> in my
> > case?
> regex is a slow way of doing things, but sometimes it's the only
> way to do it.
> You may want to look at the liblognorm option, it's FAR more efficient
> than regex parsing (especially if you end up with lots of rules)
> > Our old system receives about 10000 msgs/s so I'm hoping the new
> > server can do the same.
> With equivalent configs, the new one should be faster. If you're having
> the new one do a lot more, you may run into issues, but on a reasonably
> modern system, 10K logs/sec should not be a problem.
> I'm not familiar with the -s option, but it's a holdover from some
> old stuff, and I would not be surprised if nobody used it and as a
> it broke without anyone noticing. Rainer would need to comment on this.
It's like you say: it may be broken over time. Unfortunately, I cannot look into it right now, as I have some priority stuff to finish (and will shortly head to vacation ;)).
> David Lang
> > P.S. I tried using rsyslog's -s commandline option, but couldn't get
> it to
> > strip subdomains like this -
> > I could only get it to strip either y.z.com or nothing.
> > Is the -s switch _supposed_ to be able to strip subdomains?
> > The rsyslogd man page (below) is a bit confusing: is it saying that
> > CAN strip off just north.de (by doing something like "-s north.de:i
> > nfodrom.north.de" as it says),
> > or that it CAN'T do it?
> > -s domainlist
> > Specify a domainname that should be stripped off before logging.
> > Multiple domains may be specified using the colon ('':'') separa-
> > tor. Please be advised that no sub-domains may be specified but
> > only entire domains. For example if -s north.de is specified and
> > the host logging resolves to satu.infodrom.north.de no domain would
> > be cut, you will have to specify two domains like:
> > -s north.de:infodrom.north.de.
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> rsyslog mailing list
> What's up with rsyslog? Follow https://twitter.com/rgerhards
rsyslog mailing list
What's up with rsyslog? Follow https://twitter.com/rgerhards