NLS log file forwarding

[gormank]

This is an RHEL 6.x system with rsyslog 5.8 so I can't use the new syntax to make life easier. I'm also a bit dumb when it comes to rsyslog config so, sorry...

I did try setting $programname but it failed...

A somewhat typical file forwarding config looks like this:

$InputFileName /var/log/ansible.log
$InputFileTag ansible.log
$InputFileStateFile state_var_log_ansible.log
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
if $programname == 'ansible.log' then @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544
if $programname == 'ansible.log' then ~

Rsyslog allows wildcards in filenames so I don't see how I'd know programname if the config is something like what's below. I need something else to forward and stop the logging in the event wildcards are used. Any suggestions?

$InputFileName /var/log/mydir/*.log
$InputFileTag ansible.log
$InputFileStateFile state_var_log_mdydir_mylog
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
if $programname == '????.log' then @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544
if $programname == '????.log' then ~

[jdunitz]

Hi Kevin,

Is this something you could catch with a filter, rather than programname?

https://www.rsyslog.com/doc/v8-stable/c ... lters.html

There's all sorts of things you can use to grab a log pattern:
https://selivan.github.io/2017/02/07/rs ... lover.html

Have you already been through all that, and found nothing that works?

--Jeffrey

[gormank]

I don't see how either is going to help. Filters drop messages which isn't applicable here. I also looked at the other doc and see nothing helpful to stop processing and wait for the next message. Each block of forwarders stops when programname is found to be x. I need something unique to the message to stop on since programname isn't known.

[gormank]

Both documents also reference using a version of rsyslog I stated was not in use above.

[jdunitz]

What if you were to catch it not based on filename, but based on programname no matter what file?

Code: Select all

:programname,isequal,"ndo2db" stop

will keep ndo2db from logging.

Otherwise, I wonder if an rsyslog-specific forum would turn up more answers?

https://lists.adiscon.net/mailman/listinfo/rsyslog

Hope that helps!

--Jeffrey

[gormank]

programname is the filename and is not known since it's a wildcard *.

[gormank]

I'll look at other forums and docs. The isequal makes me think about using a substring, such as .txt or .log might work.

[cdienger]

programname is the filename and is not known since it's a wildcard *.

Maybe there are variations, but I've always understood $programname to be set by the $InputFileTag line. Per https://www.rsyslog.com/doc/master/conf ... rties.html, it's the static part of the tag so the wildcard still wouldn't work but maybe this helps?

[gormank]

Since I can't set $programname, but $InputFileTag was set in the original config, maybe I can use $InputFileTag something like this:

$InputFileName /var/log/mydir/*.log
$InputFileTag wildcard
$InputFileStateFile state_var_log_mdydir_mylog
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
if $InputFileTag == 'wildcard' then @@[2001:4888:a00:3154:f0:ff2:0:b01]:5544
if $InputFileTag == 'wildcard' then ~

[cdienger]

Using $InputFileName in and expression doesn't seem to work at least on my lab machine. I think it is limited to using properties in the expression - https://www.rsyslog.com/doc/master/conf ... rties.html.