动态 Rsyslog 模板
Dynamic Rsyslog template
我的 Rsyslog 配置如下所示:
template(name="extract" type="string" string="%msg:R:/(?:"(level)":")((\"|
[^"])*)"/g–end%")
if $InputFileTag == 'esblog' then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
template(name="json_lines" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"json.level\":\"") property(name="$!level" format="json")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
基本上,如果源标记是 esblog,我想使用这个正则表达式,从 "extract" 中提取日志消息的严重性。否则我想使用默认严重性。然后在 json.level 标签内使用该变量,这样我在外发消息中只需要一个模板。但是还没有成功。
使用 RegEx 的示例消息:https://regex101.com/r/lN4tD4/1
错误日志
0341.407068000:main thread : error: can not find regex end in: '(?:"level":")(\"|[^"]*)"–end%'
0341.407084000:main thread : PROP_INVALID for name ''
0341.407097000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: invalid property ''
0341.407195000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: error processing template object
0341.407350000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 33: exec_template(): template 'extract'
RegEx 只是需要更改。
template(name="extract" type="string" string="%msg:R,ERE,2,DFLT:(\"level\":\")(\\"|[^\"]*)\"--end%")
if $programname contains "esb-log" then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
在线 Rsyslog RegEx 工具:http://www.rsyslog.com/regex/
我的 Rsyslog 配置如下所示:
template(name="extract" type="string" string="%msg:R:/(?:"(level)":")((\"|
[^"])*)"/g–end%")
if $InputFileTag == 'esblog' then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
template(name="json_lines" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"json.level\":\"") property(name="$!level" format="json")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
基本上,如果源标记是 esblog,我想使用这个正则表达式,从 "extract" 中提取日志消息的严重性。否则我想使用默认严重性。然后在 json.level 标签内使用该变量,这样我在外发消息中只需要一个模板。但是还没有成功。
使用 RegEx 的示例消息:https://regex101.com/r/lN4tD4/1
错误日志
0341.407068000:main thread : error: can not find regex end in: '(?:"level":")(\"|[^"]*)"–end%'
0341.407084000:main thread : PROP_INVALID for name ''
0341.407097000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: invalid property ''
0341.407195000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: error processing template object
0341.407350000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 33: exec_template(): template 'extract'
RegEx 只是需要更改。
template(name="extract" type="string" string="%msg:R,ERE,2,DFLT:(\"level\":\")(\\"|[^\"]*)\"--end%")
if $programname contains "esb-log" then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
在线 Rsyslog RegEx 工具:http://www.rsyslog.com/regex/