【RSYSLOG】The Property Replacer【转】
最近在调整日志平台的日志格式,一下是RSYSLOG的 Property Replacer 说明。鉴于RSYSLOG官网略坑,转发一下,原地址忘记了- - |||
The property replacer is a core component in rsyslogd's output system. A syslog message has a number of well-defined properties (see below). Each of this properties can be accessed and manipulated by the property replacer. With it, it is easy to use only part of a property value or manipulate the value, e.g. by converting all characters to lower case.
Accessing Properties
Syslog message properties are used inside templates. They are accessed by putting them between percent signs. Properties can be modified by the property replacer. The full syntax is as follows:
%propname:fromChar:toChar:options%
Available Properties
propname is the name of the property to access. It is case-insensitive (prior to 3.17.0, they were case-senstive).
Currently supported are:
Properties | For |
---|---|
msg | the MSG part of the message (aka "the message" 😉) |
rawmsg | the message excactly as it was received from the socket. Should be useful for debugging. |
uxtradmsg | will disappear soon - do NOT use! |
hostname | hostname from the message |
source | alias for HOSTNAME |
fromhost | hostname of the system the message was received from (in a relay chain, this is the system immediately in front of us and not necessarily the original sender). This is a DNS-resolved name, except if that is not possible or DNS resolution has been disabled. |
fromhost-ip | The same as fromhost, but alsways as an IP address. Local inputs (like imklog) use 127.0.0.1 in this property. |
syslogtag | TAG from the message |
programname | the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is "named[12345]", programname is "named". |
pri | PRI part of the message - undecoded (single value) |
pri-text | the PRI part of the message in a textual form (e.g. "syslog.info") |
iut | the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for phpLogCon) |
syslogfacility | the facility from the message - in numerical form |
syslogfacility-text | the facility from the message - in text form |
syslogseverity | severity from the message - in numerical form |
syslogseverity-text | severity from the message - in text form |
syslogpriority | an alias for syslogseverity - included for historical reasons (be careful: it still is the severity, not PRI!) |
syslogpriority-text | an alias for syslogseverity-text |
timegenerated | timestamp when the message was RECEIVED. Always in high resolution |
timereported | timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds) |
timestamp | alias for timereported |
protocol-version | The contents of the PROTCOL-VERSION field from IETF draft draft-ietf-syslog-protcol |
structured-data | The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol |
app-name | The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol |
procid | The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol |
msgid | The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol |
$now | The current date stamp in the format YYYY-MM-DD |
$year | The current year (4-digit) |
$month | The current month (2-digit) |
$day | The current day of the month (2-digit) |
$hour | The current hour in military (24 hour) time (2-digit) |
$hhour | The current half hour we are in. From minute 0 to 29, this is always 0 while from 30 to 59 it is always 1. |
$qhour | The current quarter hour we are in. Much like $HHOUR, but values range from 0 to 3 (for the four quater hours that are in each hour) |
$minute | The current minute (2-digit) |
Properties starting with a $-sign are so-called system properties. These do NOT stem from the message but are rather internally-generated.
Character Positions
FromChar and toChar are used to build substrings. They specify the offset within the string that should be copied. Offset counting starts at 1, so if you need to obtain the first 2 characters of the message text, you can use this syntax: "%msg:1:2%"
. If you do not whish to specify from and to, but you want to specify options, you still need to include the colons. For example, if you would like to convert the full message text to lower case, use "%msg:::lowercase%"
. If you would like to extract from a position until the end of the string, you can place a dollar-sign ("\(") in toChar (e.g. `%msg:10:\)%`, which will extract from position 10 to the end of the string).
There is also support for regular expressions. To use them, you need to place a "R" into FromChar. This tells rsyslog that a regular expression instead of position-based extraction is desired. The actual regular expression must then be provided in toChar. The regular expression must be followed by the string "--end". It denotes the end of the regular expression and will not become part of it. If you are using regular expressions, the property replacer will return the part of the property text that matches the regular expression. An example for a property replacer sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\) \[.*--end%"
It is possible to specify some parametes after the "R". These are comma-separated. They are:
R,<regexp-type>,<submatch>,<nomatch>,<match-number>
regexp-type is either "BRE" for Posix basic regular expressions or "ERE" for extended ones. The string must be given in upper case. The default is "BRE" to be consistent with earlier versions of rsyslog that did not support ERE. The submatch identifies the submatch to be used with the result. A single digit is supported. Match 0 is the full match, while 1 to 9 are the acutal submatches. The match-number identifies which match to use, if the expression occurs more than once inside the string. Please note that the first match is number 0, the second 1 and so on. Up to 10 matches (up to number 9) are supported. Please note that it would be more natural to have the match-number in front of submatch, but this would break backward-compatibility. So the match-number must be specified after "nomatch".
nomatch is either "DFLT", "BLANK" or "FIELD" (all upper case!). It tells what to use if no match is found. With "DFLT", the strig "NO MATCH" is used. This was the only supported value up to rsyslog 3.19.5. With "BLANK" a blank text is used (""). Finally, "FIELD" uses the full property text instead of the expression. Some folks have requested that, so it seems to be useful.
The following is a sample of an ERE expression that takes the first submatch from the message string and replaces the expression with the full field if no match is found:
%msg:R,ERE,1,FIELD:for (vlan[0-9]*):--end%
and this takes the first submatch of the second match of said expression:
%msg:R,ERE,1,FIELD,1:for (vlan[0-9]*):--end%
Also, extraction can be done based on so-called "fields". To do so, place a "F" into FromChar. A field in its current definition is anything that is delimited by a delimiter character. The delimiter by default is TAB (US-ASCII value 9). However, if can be changed to any other US-ASCII character by specifying a comma and the decimal US-ASCII value of the delimiter immediately after the "F". For example, to use comma (",") as a delimiter, use this field specifier: "F,44". If your syslog data is delimited, this is a quicker way to extract than via regular expressions (actually, a much quicker way). Field counting starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The same happens if a field number higher than the number of fields in the property is requested. The field number must be placed in the "ToChar" parameter. An example where the 3rd field (delimited by TAB) from the msg property is extracted is as follows: "%msg:F:3%"
. The same example with semicolon as delimiter is "%msg:F,59:3%"
.
Please note that the special characters "F" and "R" are case-sensitive. Only upper case works, lower case will return an error. There are no white spaces permitted inside the sequence (that will lead to error messages and will NOT provide the intended result).
Property Options
property options are case-insensitive. Currently, the following options are defined:
property | for |
---|---|
uppercase | convert property to lowercase only |
lowercase | convert property text to uppercase only |
drop-last-lf | The last LF in the message (if any), is dropped. Especially useful for PIX. |
date-mysql | format as mysql date |
date-rfc3164 | format as RFC 3164 date |
date-rfc3339 | format as RFC 3339 date |
date-subseconds | just the subseconds of a timestamp (always 0 for a low precision timestamp) |
escape-cc | replace control characters (ASCII value 127 and values less then 32) with an escape sequence. The sequnce is "# |
Note: using this option requires that $EscapeControlCharactersOnReceive is set to off. | |
space-cc | replace control characters by spaces |
Note: using this option requires that $EscapeControlCharactersOnReceive is set to off.
drop-cc|drop control characters - the resulting string will neither contain control characters, escape sequences nor any other replacement character like space.
Note: using this option requires that $EscapeControlCharactersOnReceive is set to off.
Further Links
Article on "Recording the Priority of Syslog Messages" (describes use of templates to record severity and facility of a message)
Configuration file syntax, this is where you actually use the property replacer.