Discussion:
[rsyslog] template() syntax is driving me mad!
Jason Marshall
2018-11-23 22:43:24 UTC
Permalink
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.

I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.

I am using rsyslog v8.24 on CentOS 7.5 if this is correct:

# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64

Here is my template:

template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}

and my binding:

local1.* action(type="omfile" file="/var/log/jmtest.log" template="local1template")

When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.

When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.

It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?

Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.

---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Flo Rance via rsyslog
2018-11-26 08:53:29 UTC
Permalink
Hi,

The doc is very confusing, especially that part which shows examples with
"date-*" date format:

https://www.rsyslog.com/doc/v8-stable/configuration/templates.html

However, other part of the doc shows examples without the "date-" in date
format.

Remove all the "date-" in dateformat fields and it'll work as expected.

e.g. dateformat="year"

IMO, this might be a bug, either in the doc or in the program.

Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log" template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Rainer Gerhards
2018-11-26 09:01:48 UTC
Permalink
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).

You can even use the github online editor to craft updates:

https://github.com/rsyslog/rsyslog-doc/tree/master/source

Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples with
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in date
format.
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE a
Flo Rance via rsyslog
2018-11-26 09:08:08 UTC
Permalink
Hi Rainer,

It was not a criticism against you, just an observation.

I don't know if it was intended to be supported as "date-year" and it
doesn't work as expected, or if the real syntax is just "year".

Flo
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples with
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in date
format.
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they
are
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the other
logs
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info,
or
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template.
It's
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all. Should I
be
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THA
Rainer Gerhards
2018-11-26 09:21:24 UTC
Permalink
Post by Flo Rance via rsyslog
Hi Rainer,
It was not a criticism against you, just an observation.
All good, I don't feel criticiced. I just want to point out that with
a real open source project like rsyslog, we really depend on
contributions. And doc is easy to contribute. Essentially, it's far
better if users contribute. Because they know what problems other
users have. The current state of the doc is the result of it being
created mostly be folks who are deep inside rsyslog and don't see what
may be missing. Also, it's just a matter of time to do things. The
todo list is already very long.

The doc always made a big step forward when users helped with this.
Post by Flo Rance via rsyslog
I don't know if it was intended to be supported as "date-year" and it doesn't work as expected, or if the real syntax is just "year".
crafted PR instead of writing this all here (which, btw, is a good way
imho to move the doc forward - or copy&paste things you have already
written to a PR).

https://github.com/rsyslog/rsyslog-doc/pull/751

Rainer
Post by Flo Rance via rsyslog
Flo
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples with
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in date
format.
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THA
Flo Rance via rsyslog
2018-11-26 09:28:44 UTC
Permalink
It would have been hard for me to figure out that, thanks.
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Hi Rainer,
It was not a criticism against you, just an observation.
All good, I don't feel criticiced. I just want to point out that with
a real open source project like rsyslog, we really depend on
contributions. And doc is easy to contribute. Essentially, it's far
better if users contribute. Because they know what problems other
users have. The current state of the doc is the result of it being
created mostly be folks who are deep inside rsyslog and don't see what
may be missing. Also, it's just a matter of time to do things. The
todo list is already very long.
The doc always made a big step forward when users helped with this.
Post by Flo Rance via rsyslog
I don't know if it was intended to be supported as "date-year" and it
doesn't work as expected, or if the real syntax is just "year".
crafted PR instead of writing this all here (which, btw, is a good way
imho to move the doc forward - or copy&paste things you have already
written to a PR).
https://github.com/rsyslog/rsyslog-doc/pull/751
Rainer
Post by Flo Rance via rsyslog
Flo
On Mon, Nov 26, 2018 at 10:02 AM Rainer Gerhards <
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples
with
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in
date
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
format.
Remove all the "date-" in dateformat fields and it'll work as
expected.
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
On Fri, Nov 23, 2018 at 11:43 PM Jason Marshall <
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not
to
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
work.
I am trying to format the logs coming in on local1.info so that
they are
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the other
logs
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from
local1.info, or
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template.
It's
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all. Should
I be
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that even
work
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it
is I
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if yo
Rainer Gerhards
2018-11-26 15:13:44 UTC
Permalink
Post by Flo Rance via rsyslog
It would have been hard for me to figure out that, thanks.
Full ACK! That's why I try to monitor as much of the questions as possible ;-)

And don't get me wrong: I really appreciate the work that you put into
helping others. It's most useful.

But in general it would be beneficial if those small things that can
make life hard be fixed by those that notice it. We get some (very
useful) small doc contributions, but the number of folks just writing
"this is bad" vs. actually doing that small fix is frustrating. Even
more so some regular users who always ask for help, intensely, but
never ever give something back to the project. I admit I have set an
ignore flag for most of them.

Looking at the current PR, for example, it now has the facts but
leaves the doc once more inconsistent: one place is fixed, the other
one (property replacer) not. In an ideal world, some of them
complaining that the doc is so hard to use would step in and fix that
[and for sure I do NOT mean you!].

Just to clarify a bit. Especially the doc could be a much better
experience if more users would make small contributions. Especially if
they use wording other admins understand better.

Having said this, once again my sincere thanks for helping with rsyslog support!
Rainer
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Hi Rainer,
It was not a criticism against you, just an observation.
All good, I don't feel criticiced. I just want to point out that with
a real open source project like rsyslog, we really depend on
contributions. And doc is easy to contribute. Essentially, it's far
better if users contribute. Because they know what problems other
users have. The current state of the doc is the result of it being
created mostly be folks who are deep inside rsyslog and don't see what
may be missing. Also, it's just a matter of time to do things. The
todo list is already very long.
The doc always made a big step forward when users helped with this.
Post by Flo Rance via rsyslog
I don't know if it was intended to be supported as "date-year" and it doesn't work as expected, or if the real syntax is just "year".
crafted PR instead of writing this all here (which, btw, is a good way
imho to move the doc forward - or copy&paste things you have already
written to a PR).
https://github.com/rsyslog/rsyslog-doc/pull/751
Rainer
Post by Flo Rance via rsyslog
Flo
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples with
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in date
format.
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE U
Flo Rance via rsyslog
2018-11-26 15:25:57 UTC
Permalink
Thanks for the feedback!

I'll try to help fix doc issues, should the opportunity arise.

Flo
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
It would have been hard for me to figure out that, thanks.
Full ACK! That's why I try to monitor as much of the questions as possible ;-)
And don't get me wrong: I really appreciate the work that you put into
helping others. It's most useful.
But in general it would be beneficial if those small things that can
make life hard be fixed by those that notice it. We get some (very
useful) small doc contributions, but the number of folks just writing
"this is bad" vs. actually doing that small fix is frustrating. Even
more so some regular users who always ask for help, intensely, but
never ever give something back to the project. I admit I have set an
ignore flag for most of them.
Looking at the current PR, for example, it now has the facts but
leaves the doc once more inconsistent: one place is fixed, the other
one (property replacer) not. In an ideal world, some of them
complaining that the doc is so hard to use would step in and fix that
[and for sure I do NOT mean you!].
Just to clarify a bit. Especially the doc could be a much better
experience if more users would make small contributions. Especially if
they use wording other admins understand better.
Having said this, once again my sincere thanks for helping with rsyslog support!
Rainer
Post by Flo Rance via rsyslog
On Mon, Nov 26, 2018 at 10:22 AM Rainer Gerhards <
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Hi Rainer,
It was not a criticism against you, just an observation.
All good, I don't feel criticiced. I just want to point out that with
a real open source project like rsyslog, we really depend on
contributions. And doc is easy to contribute. Essentially, it's far
better if users contribute. Because they know what problems other
users have. The current state of the doc is the result of it being
created mostly be folks who are deep inside rsyslog and don't see what
may be missing. Also, it's just a matter of time to do things. The
todo list is already very long.
The doc always made a big step forward when users helped with this.
Post by Flo Rance via rsyslog
I don't know if it was intended to be supported as "date-year" and it
doesn't work as expected, or if the real syntax is just "year".
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
crafted PR instead of writing this all here (which, btw, is a good way
imho to move the doc forward - or copy&paste things you have already
written to a PR).
https://github.com/rsyslog/rsyslog-doc/pull/751
Rainer
Post by Flo Rance via rsyslog
Flo
On Mon, Nov 26, 2018 at 10:02 AM Rainer Gerhards <
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they
see
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows
examples with
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-"
in date
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
format.
Remove all the "date-" in dateformat fields and it'll work as
expected.
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
On Fri, Nov 23, 2018 at 11:43 PM Jason Marshall <
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this
not to
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
work.
I am trying to format the logs coming in on local1.info so that
they are
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the
other logs
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from
local1.info, or
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't
like
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this
template. It's
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all.
Should I be
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that
even work
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
here?
Thanks everyone, sorry if this is in the doc somewhere, but if
it is I
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
a myriad
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Post by Jason Marshall
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LI
Rainer Gerhards
2018-11-26 15:27:01 UTC
Permalink
Thanks a lot!
Post by Flo Rance via rsyslog
Thanks for the feedback!
I'll try to help fix doc issues, should the opportunity arise.
Flo
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
It would have been hard for me to figure out that, thanks.
Full ACK! That's why I try to monitor as much of the questions as possible ;-)
And don't get me wrong: I really appreciate the work that you put into
helping others. It's most useful.
But in general it would be beneficial if those small things that can
make life hard be fixed by those that notice it. We get some (very
useful) small doc contributions, but the number of folks just writing
"this is bad" vs. actually doing that small fix is frustrating. Even
more so some regular users who always ask for help, intensely, but
never ever give something back to the project. I admit I have set an
ignore flag for most of them.
Looking at the current PR, for example, it now has the facts but
leaves the doc once more inconsistent: one place is fixed, the other
one (property replacer) not. In an ideal world, some of them
complaining that the doc is so hard to use would step in and fix that
[and for sure I do NOT mean you!].
Just to clarify a bit. Especially the doc could be a much better
experience if more users would make small contributions. Especially if
they use wording other admins understand better.
Having said this, once again my sincere thanks for helping with rsyslog support!
Rainer
Post by Flo Rance via rsyslog
Post by Rainer Gerhards
Post by Flo Rance via rsyslog
Hi Rainer,
It was not a criticism against you, just an observation.
All good, I don't feel criticiced. I just want to point out that with
a real open source project like rsyslog, we really depend on
contributions. And doc is easy to contribute. Essentially, it's far
better if users contribute. Because they know what problems other
users have. The current state of the doc is the result of it being
created mostly be folks who are deep inside rsyslog and don't see what
may be missing. Also, it's just a matter of time to do things. The
todo list is already very long.
The doc always made a big step forward when users helped with this.
Post by Flo Rance via rsyslog
I don't know if it was intended to be supported as "date-year" and it doesn't work as expected, or if the real syntax is just "year".
crafted PR instead of writing this all here (which, btw, is a good way
imho to move the doc forward - or copy&paste things you have already
written to a PR).
https://github.com/rsyslog/rsyslog-doc/pull/751
Rainer
Post by Flo Rance via rsyslog
Flo
Post by Rainer Gerhards
Just a side-note: I know the doc is bad. I try my best to make
improvements whenever I have time. But it would really be helpful if
others would invest a minute here or there to fix things that they see
to be wrong or hard to understand. Usually it's done within a few
minutes and it not only helps your peers but maybe yourself in the
future (when memory has vanished).
https://github.com/rsyslog/rsyslog-doc/tree/master/source
Rainer
El lun., 26 nov. 2018 a las 9:53, Flo Rance via rsyslog
Post by Flo Rance via rsyslog
Hi,
The doc is very confusing, especially that part which shows examples with
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
However, other part of the doc shows examples without the "date-" in date
format.
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
IMO, this might be a bug, either in the doc or in the program.
Flo
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you D
Jason Marshall
2018-11-26 18:53:18 UTC
Permalink
Post by Flo Rance via rsyslog
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
Thanks Flo (and sorry Rainer for opening a can of worms about the docs.
I find they are actually quite good, but the config file syntax changes
are confusing to me as someone who is exposed to the variations only when
something has broken :)

Unfortunately, this suggestion from Flo does not seem to have fixed it,
though it did change the behavior in debug mode.

Now it doesn't complain about the dateformat lines, but further down in
the debug I get this obscure error-looking thing for each of the
dateformats. It seems fine with the literals in between each of them, and
it does appear to understand what I'm talking when I say year vs
date-year, elsewhere in the debug output.

6186.270894269:main thread : Template: Name='local1template'
6186.270911262:main thread : Entry(558fe8bf95b0): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 9]
6186.270957237:main thread : Entry(558fe8bf9380): type 1, (CONSTANT), value: '-'
6186.270994908:main thread : Entry(558fe8bf9480): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 10]
6186.271031136:main thread : Entry(558fe8bf9670): type 1, (CONSTANT), value: '-'
6186.271064373:main thread : Entry(558fe8bf99a0): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 11]
6186.271103588:main thread : Entry(558fe8bf9730): type 1, (CONSTANT), value: ' '
6186.271138654:main thread : Entry(558fe8bf9830): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 12]
6186.271175680:main thread : Entry(558fe8bf9a60): type 1, (CONSTANT), value: ':'
6186.271209310:main thread : Entry(558fe8bf9d50): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 13]
6186.271257167:main thread : Entry(558fe8bf9b20): type 1, (CONSTANT), value: ':'
6186.271291628:main thread : Entry(558fe8bf9c20): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 14]
6186.271333814:main thread : Entry(558fe8bf9e10): type 1, (CONSTANT), value: ' '
6186.271367917:main thread : Entry(558fe8bfa100): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 8]
6186.271408596:main thread : Entry(558fe8bf9ed0): type 1, (CONSTANT), value: ' '
6186.271437108:main thread : Entry(558fe8bf9f90): type 2, (FIELD), value: '3'
6186.271477047:main thread : Entry(558fe8bfa1c0): type 1, (CONSTANT), value: ' '
6186.271511780:main thread : Entry(558fe8bfa4b0): type 2, (FIELD), value: '4'
6186.271543313:main thread : Entry(558fe8bfa280): type 1, (CONSTANT), value: ' '
6186.271578967:main thread : Entry(558fe8bfa340): type 2, (FIELD), value: '1'
6186.271614079:main thread : Entry(558fe8bfa570): type 1, (CONSTANT), value: '
'

This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted
your suggestion, or took something too literally that I should not have?

template (name="local1template" type="list") {
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="timereported" dateformat="wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}

local1.* action(type="omfile" file="/var/log/jmtest.log" template="local1template")

Oh, it's just dawned on me that I am actually testing this with 'logger'
and for all I know that's not actually providing a timestamp to rsyslog at
all. I'll test that with timegenerated (which I think is supplied by
rsyslog itself and not parsed from the client)... Not much difference. I
can post that debug output, too, but don't want to muddy the waters...

---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
Post by Flo Rance via rsyslog
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
---
Jason Marshall
Director, Information Technology
Katalyst Data Management
Direct: +1 403 294 7557
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Flo Rance via rsyslog
2018-11-27 08:08:51 UTC
Permalink
Sorry, I didn test it with logger, but I've created a conf file in
/etc/rsyslog.d and it works as expected with rsyslog 8.38.

$ sudo tail -f /var/log/jmtest.log
2018-11-27 09:06:01 Tue host.domain.fake CRON[11168]: (root) CMD (command
-v debian-sa1 > /dev/null && debian-sa1 -S XALL 60 1)
Post by Jason Marshall
Post by Flo Rance via rsyslog
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
Thanks Flo (and sorry Rainer for opening a can of worms about the docs.
I find they are actually quite good, but the config file syntax changes
are confusing to me as someone who is exposed to the variations only when
something has broken :)
Unfortunately, this suggestion from Flo does not seem to have fixed it,
though it did change the behavior in debug mode.
Now it doesn't complain about the dateformat lines, but further down in
the debug I get this obscure error-looking thing for each of the
dateformats. It seems fine with the literals in between each of them, and
it does appear to understand what I'm talking when I say year vs
date-year, elsewhere in the debug output.
6186.270894269:main thread : Template: Name='local1template'
6186.270911262:main thread : Entry(558fe8bf95b0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 9]
6186.270957237:main thread : Entry(558fe8bf9380): type 1,
(CONSTANT), value: '-'
6186.270994908:main thread : Entry(558fe8bf9480): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 10]
6186.271031136:main thread : Entry(558fe8bf9670): type 1,
(CONSTANT), value: '-'
6186.271064373:main thread : Entry(558fe8bf99a0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 11]
6186.271103588:main thread : Entry(558fe8bf9730): type 1,
(CONSTANT), value: ' '
6186.271138654:main thread : Entry(558fe8bf9830): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 12]
6186.271175680:main thread : Entry(558fe8bf9a60): type 1,
(CONSTANT), value: ':'
6186.271209310:main thread : Entry(558fe8bf9d50): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 13]
6186.271257167:main thread : Entry(558fe8bf9b20): type 1,
(CONSTANT), value: ':'
6186.271291628:main thread : Entry(558fe8bf9c20): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 14]
6186.271333814:main thread : Entry(558fe8bf9e10): type 1,
(CONSTANT), value: ' '
6186.271367917:main thread : Entry(558fe8bfa100): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 8]
6186.271408596:main thread : Entry(558fe8bf9ed0): type 1,
(CONSTANT), value: ' '
6186.271437108:main thread : Entry(558fe8bf9f90): type 2,
(FIELD), value: '3'
6186.271477047:main thread : Entry(558fe8bfa1c0): type 1,
(CONSTANT), value: ' '
6186.271511780:main thread : Entry(558fe8bfa4b0): type 2,
(FIELD), value: '4'
6186.271543313:main thread : Entry(558fe8bfa280): type 1,
(CONSTANT), value: ' '
6186.271578967:main thread : Entry(558fe8bfa340): type 2,
(FIELD), value: '1'
6186.271614079:main thread : Entry(558fe8bfa570): type 1,
(CONSTANT), value: '
'
This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted
your suggestion, or took something too literally that I should not have?
template (name="local1template" type="list") {
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="timereported" dateformat="wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log" template="local1template")
Oh, it's just dawned on me that I am actually testing this with 'logger'
and for all I know that's not actually providing a timestamp to rsyslog at
all. I'll test that with timegenerated (which I think is supplied by
rsyslog itself and not parsed from the client)... Not much difference. I
can post that debug output, too, but don't want to muddy the waters...
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
Post by Flo Rance via rsyslog
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they
are
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the other
logs
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info,
or
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template.
It's
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all. Should I
be
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
---
Jason Marshall
Director, Information Technology
Katalyst Data Management
Direct: +1 403 294 7557
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Jason Marshall
2018-11-28 04:16:21 UTC
Permalink
Thanks Flo -- turns out I just don't know how to use logger. Still don't
I guess. The actual syslog stuff coming in via its sysloggy ways likes my
new template and action just fine! Thanks for your help!
Post by Flo Rance via rsyslog
Sorry, I didn test it with logger, but I've created a conf file in
/etc/rsyslog.d and it works as expected with rsyslog 8.38.
$ sudo tail -f /var/log/jmtest.log
2018-11-27 09:06:01 Tue host.domain.fake CRON[11168]: (root) CMD (command
-v debian-sa1 > /dev/null && debian-sa1 -S XALL 60 1)
Post by Jason Marshall
Post by Flo Rance via rsyslog
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
Thanks Flo (and sorry Rainer for opening a can of worms about the docs.
I find they are actually quite good, but the config file syntax changes
are confusing to me as someone who is exposed to the variations only when
something has broken :)
Unfortunately, this suggestion from Flo does not seem to have fixed it,
though it did change the behavior in debug mode.
Now it doesn't complain about the dateformat lines, but further down in
the debug I get this obscure error-looking thing for each of the
dateformats. It seems fine with the literals in between each of them, and
it does appear to understand what I'm talking when I say year vs
date-year, elsewhere in the debug output.
6186.270894269:main thread : Template: Name='local1template'
6186.270911262:main thread : Entry(558fe8bf95b0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 9]
6186.270957237:main thread : Entry(558fe8bf9380): type 1,
(CONSTANT), value: '-'
6186.270994908:main thread : Entry(558fe8bf9480): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 10]
6186.271031136:main thread : Entry(558fe8bf9670): type 1,
(CONSTANT), value: '-'
6186.271064373:main thread : Entry(558fe8bf99a0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 11]
6186.271103588:main thread : Entry(558fe8bf9730): type 1,
(CONSTANT), value: ' '
6186.271138654:main thread : Entry(558fe8bf9830): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 12]
6186.271175680:main thread : Entry(558fe8bf9a60): type 1,
(CONSTANT), value: ':'
6186.271209310:main thread : Entry(558fe8bf9d50): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 13]
6186.271257167:main thread : Entry(558fe8bf9b20): type 1,
(CONSTANT), value: ':'
6186.271291628:main thread : Entry(558fe8bf9c20): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 14]
6186.271333814:main thread : Entry(558fe8bf9e10): type 1,
(CONSTANT), value: ' '
6186.271367917:main thread : Entry(558fe8bfa100): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 8]
6186.271408596:main thread : Entry(558fe8bf9ed0): type 1,
(CONSTANT), value: ' '
6186.271437108:main thread : Entry(558fe8bf9f90): type 2,
(FIELD), value: '3'
6186.271477047:main thread : Entry(558fe8bfa1c0): type 1,
(CONSTANT), value: ' '
6186.271511780:main thread : Entry(558fe8bfa4b0): type 2,
(FIELD), value: '4'
6186.271543313:main thread : Entry(558fe8bfa280): type 1,
(CONSTANT), value: ' '
6186.271578967:main thread : Entry(558fe8bfa340): type 2,
(FIELD), value: '1'
6186.271614079:main thread : Entry(558fe8bfa570): type 1,
(CONSTANT), value: '
'
This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted
your suggestion, or took something too literally that I should not have?
template (name="local1template" type="list") {
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="timereported" dateformat="wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
Oh, it's just dawned on me that I am actually testing this with 'logger'
and for all I know that's not actually providing a timestamp to rsyslog at
all. I'll test that with timegenerated (which I think is supplied by
rsyslog itself and not parsed from the client)... Not much difference. I
can post that debug output, too, but don't want to muddy the waters...
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
Post by Flo Rance via rsyslog
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they
are
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the other
logs
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info,
or
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template.
It's
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all. Should I
be
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
---
Jason Marshall
Director, Information Technology
Katalyst Data Management
Direct: +1 403 294 7557
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Rainer Gerhards
2018-11-28 06:56:08 UTC
Permalink
Mhhh... This should also work with logger, would still be interested to see
a debug log.

Rainer

Sent from phone, thus brief.
Post by Jason Marshall
Thanks Flo -- turns out I just don't know how to use logger. Still don't
I guess. The actual syslog stuff coming in via its sysloggy ways likes my
new template and action just fine! Thanks for your help!
Post by Flo Rance via rsyslog
Sorry, I didn test it with logger, but I've created a conf file in
/etc/rsyslog.d and it works as expected with rsyslog 8.38.
$ sudo tail -f /var/log/jmtest.log
2018-11-27 09:06:01 Tue host.domain.fake CRON[11168]: (root) CMD
(command
Post by Flo Rance via rsyslog
-v debian-sa1 > /dev/null && debian-sa1 -S XALL 60 1)
Post by Jason Marshall
Post by Flo Rance via rsyslog
Remove all the "date-" in dateformat fields and it'll work as
expected.
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
e.g. dateformat="year"
Thanks Flo (and sorry Rainer for opening a can of worms about the docs.
I find they are actually quite good, but the config file syntax changes
are confusing to me as someone who is exposed to the variations only
when
Post by Flo Rance via rsyslog
Post by Jason Marshall
something has broken :)
Unfortunately, this suggestion from Flo does not seem to have fixed it,
though it did change the behavior in debug mode.
Now it doesn't complain about the dateformat lines, but further down in
the debug I get this obscure error-looking thing for each of the
dateformats. It seems fine with the literals in between each of them,
and
Post by Flo Rance via rsyslog
Post by Jason Marshall
it does appear to understand what I'm talking when I say year vs
date-year, elsewhere in the debug output.
6186.270894269:main thread : Template: Name='local1template'
6186.270911262:main thread : Entry(558fe8bf95b0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 9]
6186.270957237:main thread : Entry(558fe8bf9380): type 1,
(CONSTANT), value: '-'
6186.270994908:main thread : Entry(558fe8bf9480): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 10]
6186.271031136:main thread : Entry(558fe8bf9670): type 1,
(CONSTANT), value: '-'
6186.271064373:main thread : Entry(558fe8bf99a0): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 11]
6186.271103588:main thread : Entry(558fe8bf9730): type 1,
(CONSTANT), value: ' '
6186.271138654:main thread : Entry(558fe8bf9830): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 12]
6186.271175680:main thread : Entry(558fe8bf9a60): type 1,
(CONSTANT), value: ':'
6186.271209310:main thread : Entry(558fe8bf9d50): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 13]
6186.271257167:main thread : Entry(558fe8bf9b20): type 1,
(CONSTANT), value: ':'
6186.271291628:main thread : Entry(558fe8bf9c20): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 14]
6186.271333814:main thread : Entry(558fe8bf9e10): type 1,
(CONSTANT), value: ' '
6186.271367917:main thread : Entry(558fe8bfa100): type 2,
(FIELD), value: '2' [UNKNOWN eDateFormat 8]
6186.271408596:main thread : Entry(558fe8bf9ed0): type 1,
(CONSTANT), value: ' '
6186.271437108:main thread : Entry(558fe8bf9f90): type 2,
(FIELD), value: '3'
6186.271477047:main thread : Entry(558fe8bfa1c0): type 1,
(CONSTANT), value: ' '
6186.271511780:main thread : Entry(558fe8bfa4b0): type 2,
(FIELD), value: '4'
6186.271543313:main thread : Entry(558fe8bfa280): type 1,
(CONSTANT), value: ' '
6186.271578967:main thread : Entry(558fe8bfa340): type 2,
(FIELD), value: '1'
6186.271614079:main thread : Entry(558fe8bfa570): type 1,
(CONSTANT), value: '
'
This is what I have in my rsyslog.conf file now. Perhaps I
misinterpreted
Post by Flo Rance via rsyslog
Post by Jason Marshall
your suggestion, or took something too literally that I should not
have?
Post by Flo Rance via rsyslog
Post by Jason Marshall
template (name="local1template" type="list") {
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="timereported" dateformat="wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
Oh, it's just dawned on me that I am actually testing this with
'logger'
Post by Flo Rance via rsyslog
Post by Jason Marshall
and for all I know that's not actually providing a timestamp to
rsyslog at
Post by Flo Rance via rsyslog
Post by Jason Marshall
all. I'll test that with timegenerated (which I think is supplied by
rsyslog itself and not parsed from the client)... Not much
difference. I
Post by Flo Rance via rsyslog
Post by Jason Marshall
can post that debug output, too, but don't want to muddy the waters...
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
Post by Flo Rance via rsyslog
On Fri, Nov 23, 2018 at 11:43 PM Jason Marshall <
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this
not to
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
Post by Jason Marshall
work.
I am trying to format the logs coming in on local1.info so that
they
Post by Flo Rance via rsyslog
Post by Jason Marshall
are
Post by Flo Rance via rsyslog
Post by Jason Marshall
saved in a separate file, and have a custom date-stamp vs the other
logs
Post by Flo Rance via rsyslog
Post by Jason Marshall
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from
local1.info,
Post by Flo Rance via rsyslog
Post by Jason Marshall
or
Post by Flo Rance via rsyslog
Post by Jason Marshall
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't
like
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
Post by Jason Marshall
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template.
It's
Post by Flo Rance via rsyslog
Post by Jason Marshall
also unclear whether I'm going about this correctly at all.
Should I
Post by Flo Rance via rsyslog
Post by Jason Marshall
be
Post by Flo Rance via rsyslog
Post by Jason Marshall
using the property-replacer instead somehow? How would that even
work
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
Post by Jason Marshall
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it
is I
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
Post by Jason Marshall
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you
Post by Flo Rance via rsyslog
Post by Jason Marshall
Post by Flo Rance via rsyslog
Post by Jason Marshall
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
---
Jason Marshall
Director, Information Technology
Katalyst Data Management
Direct: +1 403 294 7557
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
Post by Flo Rance via rsyslog
Post by Jason Marshall
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Rainer Gerhards
2018-11-27 10:50:09 UTC
Permalink
El lun., 26 nov. 2018 a las 19:53, Jason Marshall
Post by Jason Marshall
Post by Flo Rance via rsyslog
Remove all the "date-" in dateformat fields and it'll work as expected.
e.g. dateformat="year"
Thanks Flo (and sorry Rainer for opening a can of worms about the docs.
I find they are actually quite good, but the config file syntax changes
are confusing to me as someone who is exposed to the variations only when
something has broken :)
Unfortunately, this suggestion from Flo does not seem to have fixed it,
though it did change the behavior in debug mode.
Now it doesn't complain about the dateformat lines, but further down in
the debug I get this obscure error-looking thing for each of the
dateformats. It seems fine with the literals in between each of them, and
it does appear to understand what I'm talking when I say year vs
date-year, elsewhere in the debug output.
6186.270894269:main thread : Template: Name='local1template'
6186.270911262:main thread : Entry(558fe8bf95b0): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 9]
6186.270957237:main thread : Entry(558fe8bf9380): type 1, (CONSTANT), value: '-'
6186.270994908:main thread : Entry(558fe8bf9480): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 10]
6186.271031136:main thread : Entry(558fe8bf9670): type 1, (CONSTANT), value: '-'
6186.271064373:main thread : Entry(558fe8bf99a0): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 11]
6186.271103588:main thread : Entry(558fe8bf9730): type 1, (CONSTANT), value: ' '
6186.271138654:main thread : Entry(558fe8bf9830): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 12]
6186.271175680:main thread : Entry(558fe8bf9a60): type 1, (CONSTANT), value: ':'
6186.271209310:main thread : Entry(558fe8bf9d50): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 13]
6186.271257167:main thread : Entry(558fe8bf9b20): type 1, (CONSTANT), value: ':'
6186.271291628:main thread : Entry(558fe8bf9c20): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 14]
6186.271333814:main thread : Entry(558fe8bf9e10): type 1, (CONSTANT), value: ' '
6186.271367917:main thread : Entry(558fe8bfa100): type 2, (FIELD), value: '2' [UNKNOWN eDateFormat 8]
6186.271408596:main thread : Entry(558fe8bf9ed0): type 1, (CONSTANT), value: ' '
6186.271437108:main thread : Entry(558fe8bf9f90): type 2, (FIELD), value: '3'
6186.271477047:main thread : Entry(558fe8bfa1c0): type 1, (CONSTANT), value: ' '
6186.271511780:main thread : Entry(558fe8bfa4b0): type 2, (FIELD), value: '4'
6186.271543313:main thread : Entry(558fe8bfa280): type 1, (CONSTANT), value: ' '
6186.271578967:main thread : Entry(558fe8bfa340): type 2, (FIELD), value: '1'
6186.271614079:main thread : Entry(558fe8bfa570): type 1, (CONSTANT), value: '
'
The "UNKOWN" are indeed an issue, but just a cosmetic one with debug
output. All is well here.

FIx: https://github.com/rsyslog/rsyslog/pull/3317
Post by Jason Marshall
This is what I have in my rsyslog.conf file now. Perhaps I misinterpreted
your suggestion, or took something too literally that I should not have?
template (name="local1template" type="list") {
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="timereported" dateformat="wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log" template="local1template")
Oh, it's just dawned on me that I am actually testing this with 'logger'
and for all I know that's not actually providing a timestamp to rsyslog at
all. I'll test that with timegenerated (which I think is supplied by
rsyslog itself and not parsed from the client)... Not much difference. I
can post that debug output, too, but don't want to muddy the waters...
A debug log would be useful. I suggest to put it on something like pastebin.

Rainer
Post by Jason Marshall
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
Post by Flo Rance via rsyslog
Post by Jason Marshall
Hi all, I'm sure I'm doing something stupid that's causing this not to
work.
I am trying to format the logs coming in on local1.info so that they are
saved in a separate file, and have a custom date-stamp vs the other logs
that are being written to other files.
# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
template (name="local1template" type="list") {
property(name="timereported" dateformat="date-year")
constant(value="-")
property(name="timereported" dateformat="date-month")
constant(value="-")
property(name="timereported" dateformat="date-day")
constant(value=" ")
property(name="timereported" dateformat="date-hour")
constant(value=":")
property(name="timereported" dateformat="date-minute")
constant(value=":")
property(name="timereported" dateformat="date-second")
constant(value=" ")
property(name="timereported" dateformat="date-wdayname")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
local1.* action(type="omfile" file="/var/log/jmtest.log"
template="local1template")
When I restart rsyslogd, I eithe get nothing logged from local1.info, or
it falls through to the 'messages' file.
When I run rsyslogd in debug mode, it complains that it doesn't like
'dateformat="date-year"'. I commented out that part, and it then
complained about 'dateformat="date-month"'.
It's very unclear to me what I should be putting in this template. It's
also unclear whether I'm going about this correctly at all. Should I be
using the property-replacer instead somehow? How would that even work
here?
Thanks everyone, sorry if this is in the doc somewhere, but if it is I
haven't been able to find (or perhaps recognize) it.
---
Jason Marshall
Katalyst Data Management
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
---
Jason Marshall
Director, Information Technology
Katalyst Data Management
Direct: +1 403 294 7557
www.katalystdm.com | www.seismiczone.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON
Loading...