0

We have a few appliances that are sending syslog, unfortunately their hostname are not the same as the actual name configured on the service

I'm running the latest rsyslog version.

Currently I have this saved as a seperate conf file:

template (name="stats" type="string" string="/logs/stats/host-%rawmsg:R,ERE,1,DFLT:gw_name="([^"]*)--end%-%$year%-%$month%-%$day%.log")

local4.*                action(type="omfile" dynaFile="stats")

These do not generate log files.

Sample raw message

Mar 31 17:33:02 localhost root: log_type="stats", local_time="2021/03/31 17:33 BST", mx_ip="10.191.205.240",gw_name="Appliance_NAME", gw_ip="1.0.0.41", version="1.5.0.", model="1000", serial_no="1xxxxxx8", ssl_card="Yes", total_traffic="0", app_traffic="0", cpu="0"

This should save the log file as host-Appliance_NAME-2021-03-31

We have an outdated rsyslog version 5.4 that we need to migrate to latest ones and hence this stiuation.

sarvesh.lad
  • 137
  • 6

1 Answers1

2

There is a syntax error in the template, which might have been visible in a test run (rsyslogd -N1). The part string="/logs/...%rawmsg...gw_name="([^"]*)... is using double-quotes inside double-quotes. You need to escape the internal double-quotes with a preceding backslash, ...gw_name=\"([^\"]*)....

meuh
  • 1,563
  • 10
  • 11
  • Thank you! I was wondering why the syntax highlighting was off on vim – sarvesh.lad Mar 31 '21 at 18:23
  • One last question, can I have a template within a template. I have 100 hosts sending logs and I wanna make a global template tjat says, everything from these IP, go into folder 1, rest are folder 2. And then reference those folder in the action dynamically. – sarvesh.lad Mar 31 '21 at 19:31
  • I'm not sure what you want, but most people manage to achieve what they need with rsyslog. You should post a new question with more examples of what you have and would like. – meuh Apr 01 '21 at 08:40