1

I'm trying to setup rsyslog to use the template RSYSLOG_TraditionalFileFormat as the default action template, but for some specific messages i need to use another template. In both cases i need dynaFile.

I'm trying to achieve that with:

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template dynatemplate, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
$template dynatemplate2, "/var/log/%HOSTNAME%/%hostname%_%fromhost-ip%_%syslogtag%.log"

:msg, contains, "sometext" ?dynatemplate2;RSYSLOG_SyslogProtocol23Format
& ~

*.* ?dynatemplate

Would the above be considered the correct way?

Also since I'm using rsyslog 8.24 how could it be done using the expression syntax?

vobelic
  • 193
  • 1
  • 5
  • 17

2 Answers2

1

It looks ok to me. Here's a RainerScript version, untested. I don't think the last action() needs a *.* in front of it as that is the default, but do add it if nothing is matched.

template(name="dynatemplate" type="string" 
  string="/var/log/%HOSTNAME%/%PROGRAMNAME%.log")
template(name="dynatemplate2" type="string"
  string="/var/log/%HOSTNAME%/%hostname%_%fromhost-ip%_%syslogtag%.log")

if ($msg contains "sometext") then {
  action(type="omfile" dynaFile="dynatemplate2" template="RSYSLOG_SyslogProtocol23Format")
  stop
}
action(type="omfile" dynaFile="dynatemplate")
meuh
  • 1,563
  • 10
  • 11
0

This is what worked for me. We use dynaFiles to do hostname based files.
I had a need to remove timestamp and hostname from being prefixed to events already formatted in JSON.

template (name="LOG_TYPE_PATH" type="string"
  string="/path/to/your/logs/LOG_TYPE/%HOSTNAME%.log")

template(name="noTimestamp" type="list") {
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on" )
    property(name="msg" droplastlf="on" )
    constant(value="\n")
    }

if ($hostname contains "10.0.0.17") then {
  action(type="omfile" dynaFile="LOG_TYPE_PATH" template="noTimestamp")
}

This doc was helpful:

https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

msq
  • 1
  • 1