Mailinglist Archive: opensuse (963 mails)
| < Previous | Next > |
[opensuse] Experimenting with rsyslog message formats
- From: "Carlos E. R." <carlos.e.r@xxxxxxxxxxxx>
- Date: Mon, 22 Nov 2010 17:33:16 +0100 (CET)
- Message-id: <alpine.LNX.2.00.1011221651120.28022@xxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm trying to get rsyslog to output the messages in a format I would like. I'm, using the "RSYSLOG_SyslogProtocol23Format" template for one of the log files, which prints like this:
<30>1 2010-11-22T16:29:04.707021+01:00 Telcontar smartd 3860 - - Device:
/dev/sdc [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 29 to 28
For this I use this rule:
*.* -/var/log/allmessages;My_SyslogProtocol23Format
The problem starts with the templates: the definitions are not documented, I had to dig them out of the sources:
static uchar template_SyslogProtocol23Format[] = "\"<%PRI%>1 %TIMESTAMP:::date-rfc3339%
%HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\"";
I would like the timestamp to be like "2010-11-22 16:29:04". To this end I define my own template derived from that one:
$template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc3339% %HOSTNAME%
%APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
which works - ie, it is the same as the original one. So far, so good.
But I can't find documentation for the "TIMESTAMP" formats supported. In the file "features.html" I see:
+++······················
Current Features
...
• good timestamp format control; at a minimum, ISO 8601/RFC 3339
second-resolution UTC zone
······················++-
date-rfc3339 produces output like 2010-11-22T17:09:20.201284+01:00, which is
different from what the CLI equivalent does:
cer@Telcontar:~> date --iso=ns ; date --rfc-3339=ns
2010-11-22T17:13:58,866637161+0100
2010-11-22 17:13:58.868123100+01:00
(the one I want is --rfc-3339=seconds, wich in "date" does not print the "T")
I think that rsyslog got the specification reversed. Anyway, if I try the "other
one" in the template:
$template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc8601% %HOSTNAME%
%APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
I get this output:
<46> Nov 22 17:16:48 Telcontar rsyslogd - - - ...
which means it was not recognised at all. I have also tried "date-rfc8601=seconds" and "date-rfc33390seconds", none works. There is no mention in the sources of "rfc8601", only date-rfc3164 and date-rfc3339.
So the question is, what are the syntax timestamp modifiers, what modifiers are
really available?
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
iEYEARECAAYFAkzqm1QACgkQtTMYHG2NR9XB/QCdFplR7PrrUNB68IMeexmbqhsV
tkgAnii2U2fSQdb/ayyznyN0HmtyJHHL
=ZfGN
-----END PGP SIGNATURE-----
Hash: SHA1
Hi,
I'm trying to get rsyslog to output the messages in a format I would like. I'm, using the "RSYSLOG_SyslogProtocol23Format" template for one of the log files, which prints like this:
<30>1 2010-11-22T16:29:04.707021+01:00 Telcontar smartd 3860 - - Device:
/dev/sdc [SAT], SMART Usage Attribute: 194 Temperature_Celsius changed from 29 to 28
For this I use this rule:
*.* -/var/log/allmessages;My_SyslogProtocol23Format
The problem starts with the templates: the definitions are not documented, I had to dig them out of the sources:
static uchar template_SyslogProtocol23Format[] = "\"<%PRI%>1 %TIMESTAMP:::date-rfc3339%
%HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n\"";
I would like the timestamp to be like "2010-11-22 16:29:04". To this end I define my own template derived from that one:
$template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc3339% %HOSTNAME%
%APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
which works - ie, it is the same as the original one. So far, so good.
But I can't find documentation for the "TIMESTAMP" formats supported. In the file "features.html" I see:
+++······················
Current Features
...
• good timestamp format control; at a minimum, ISO 8601/RFC 3339
second-resolution UTC zone
······················++-
date-rfc3339 produces output like 2010-11-22T17:09:20.201284+01:00, which is
different from what the CLI equivalent does:
cer@Telcontar:~> date --iso=ns ; date --rfc-3339=ns
2010-11-22T17:13:58,866637161+0100
2010-11-22 17:13:58.868123100+01:00
(the one I want is --rfc-3339=seconds, wich in "date" does not print the "T")
I think that rsyslog got the specification reversed. Anyway, if I try the "other
one" in the template:
$template My_SyslogProtocol23Format,"<%PRI%> %TIMESTAMP:::date-rfc8601% %HOSTNAME%
%APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
I get this output:
<46> Nov 22 17:16:48 Telcontar rsyslogd - - - ...
which means it was not recognised at all. I have also tried "date-rfc8601=seconds" and "date-rfc33390seconds", none works. There is no mention in the sources of "rfc8601", only date-rfc3164 and date-rfc3339.
So the question is, what are the syntax timestamp modifiers, what modifiers are
really available?
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
iEYEARECAAYFAkzqm1QACgkQtTMYHG2NR9XB/QCdFplR7PrrUNB68IMeexmbqhsV
tkgAnii2U2fSQdb/ayyznyN0HmtyJHHL
=ZfGN
-----END PGP SIGNATURE-----
| < Previous | Next > |