Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot access json fields #1116

Closed
micahlmartin opened this issue Aug 13, 2016 · 35 comments
Closed

Cannot access json fields #1116

micahlmartin opened this issue Aug 13, 2016 · 35 comments
Labels
OldVersionOnly

Comments

@micahlmartin
Copy link

Here's the config I have:

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad mmjsonparse
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

action(type="mmjsonparse")
template(name="justFoo" type="list") {
    property(name="$!_MACHINE_ID")
    constant(value="\n") #we'll separate logs with a newline
}

action(type="omfile"
    template="justFoo"
    file="/var/log/foo")

The output of /var/log/foo is blank. However if I specify property(name="$!") I get this:

{ "PRIORITY": "6", "_TRANSPORT": "journal", "_UID": "0", "_GID": "0", "_CAP_EFFECTIVE": "1fffffffff", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252", "SYSLOG_FACILITY": "3", "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0", "CODE_FILE": "src\/core\/job.c", "CODE_LINE": "776", "CODE_FUNCTION": "job_log_status_message", "SYSLOG_IDENTIFIER": "systemd", "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", "RESULT": "done", "_PID": "1", "_COMM": "systemd", "_EXE": "\/usr\/lib\/systemd\/systemd", "_CMDLINE": "\/usr\/lib\/systemd\/systemd --switched-root --system --deserialize 20", "_SYSTEMD_CGROUP": "\/", "UNIT": "rsyslog.service", "MESSAGE": "Started System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP": "1471126333489889" }
{ "_SYSTEMD_SLICE": "system.slice", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252", "PRIORITY": "5", "_TRANSPORT": "syslog", "SYSLOG_FACILITY": "10", "SYSLOG_IDENTIFIER": "polkitd", "SYSLOG_PID": "16322", "_PID": "16322", "_UID": "997", "_GID": "995", "_COMM": "polkitd", "_EXE": "\/usr\/lib\/polkit-1\/polkitd", "_CMDLINE": "\/usr\/lib\/polkit-1\/polkitd --no-debug", "_CAP_EFFECTIVE": "0", "_SYSTEMD_CGROUP": "\/system.slice\/polkit.service", "_SYSTEMD_UNIT": "polkit.service", "_SELINUX_CONTEXT": "system_u:system_r:policykit_t:s0", "MESSAGE": "Unregistered Authentication Agent for unix-process:2029:37268534 (system bus name :1.3936, object path \/org\/freedesktop\/PolicyKit1\/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)", "_SOURCE_REALTIME_TIMESTAMP": "1471126333491535" }

I've tried every combination of accessing variables off of $! with no luck. Any idea what I'm doing wrong?
@davidelang
Copy link
Contributor

On Sat, 13 Aug 2016, Micah Martin wrote:

Here's the config I have:

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad mmjsonparse
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

action(type="mmjsonparse")
template(name="justFoo" type="list") {
   property(name="$!_MACHINE_ID")
   constant(value="\n") #we'll separate logs with a newline
}

action(type="omfile"
   template="justFoo"
   file="/var/log/foo")

The output of /var/log/foo is blank. However if I specify property(name="$!") I get this:

{ "PRIORITY": "6", "_TRANSPORT": "journal", "_UID": "0", "_GID": "0", "_CAP_EFFECTIVE": "1fffffffff", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252", "SYSLOG_FACILITY": "3", "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0", "CODE_FILE": "src\/core\/job.c", "CODE_LINE": "776", "CODE_FUNCTION": "job_log_status_message", "SYSLOG_IDENTIFIER": "systemd", "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", "RESULT": "done", "_PID": "1", "_COMM": "systemd", "_EXE": "\/usr\/lib\/systemd\/systemd", "_CMDLINE": "\/usr\/lib\/systemd\/systemd --switched-root --system --deserialize 20", "_SYSTEMD_CGROUP": "\/", "UNIT": "rsyslog.service", "MESSAGE": "Started System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP": "1471126333489889" }
{ "_SYSTEMD_SLICE": "system.slice", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252", "PRIORITY": "5", "_TRANSPORT": "syslog", "SYSLOG_FACILITY": "10", "SYSLOG_IDENTIFIER": "polkitd", "SYSLOG_PID": "16322", "_PID": "16322", "_UID": "997", "_GID": "995", "_COMM": "polkitd", "_EXE": "\/usr\/lib\/polkit-1\/polkitd", "_CMDLINE": "\/usr\/lib\/polkit-1\/polkitd --no-debug", "_CAP_EFFECTIVE": "0", "_SYSTEMD_CGROUP": "\/system.slice\/polkit.service", "_SYSTEMD_UNIT": "polkit.service", "_SELINUX_CONTEXT": "system_u:system_r:policykit_t:s0", "MESSAGE": "Unregistered Authentication Agent for unix-process:2029:37268534 (system bus name :1.3936, object path \/org\/freedesktop\/PolicyKit1\/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)", "_SOURCE_REALTIME_TIMESTAMP": "1471126333491535" }

I've tried every combination of accessing variables off of $! with no luck. Any idea what I'm doing wrong?

I suspect that the problem is the leading '_', but Rainer will have to confirm
this and say if there is any work-around.

David Lang

@micahlmartin
Copy link
Author

I've tried all the fields, even the ones without the '_', and none of them work.

@davidelang
Copy link
Contributor

davidelang commented Aug 13, 2016 via email

@micahlmartin
Copy link
Author

Can you elaborate? I'm new to rsyslog.
On Sat, Aug 13, 2016 at 7:23 PM davidelang notifications@github.com wrote:

On Sat, 13 Aug 2016, Micah Martin wrote:

I've tried all the fields, even the ones without the '_', and none of
them work.

if you write with the format RSYSLOG_DebugFormat what do you get?

David Lang


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#1116 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAKe_Yu1cK6YMVVqKtEQrmiDgcVg4HCMks5qflIAgaJpZM4Jjxai
.

@davidelang
Copy link
Contributor

use the template RSYSLOG_DebugFormat

On Sat, 13 Aug 2016, Micah Martin wrote:

Can you elaborate? I'm new to rsyslog.
On Sat, Aug 13, 2016 at 7:23 PM davidelang notifications@github.com wrote:

On Sat, 13 Aug 2016, Micah Martin wrote:

I've tried all the fields, even the ones without the '_', and none of
them work.

if you write with the format RSYSLOG_DebugFormat what do you get?

David Lang

@micahlmartin
Copy link
Author

Here's the output:

Debug line with all properties:
FROMHOST: 'ip-x-x-x-x', fromhost-ip: '127.0.0.1', HOSTNAME: 'ip-x-x-x-x', PRI: 30,
syslogtag 'dd.collector[8689]:', programname: 'dd.collector', APP-NAME: 'dd.collector', PROCID: '8689', MSGID: '-',
TIMESTAMP: 'Aug 14 01:26:04', STRUCTURED-DATA: '-',
msg: 'INFO (http_check.py:252): XXXXX'
escaped msg: 'INFO (http_check.py:252): XXXX'
inputname: imjournal rawmsg: 'INFO (http_check.py:252): XXXX'
$!:{ "PRIORITY": "6", "_SYSTEMD_SLICE": "system.slice", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-x-x-x-x", "SYSLOG_FACILITY": "3", "_TRANSPORT": "syslog", "_CAP_EFFECTIVE": "0", "SYSLOG_IDENTIFIER": "dd.collector", "SYSLOG_PID": "8689", "_PID": "8689", "_UID": "995", "_GID": "991", "_COMM": "python", "_EXE": "\/opt\/datadog-agent\/embedded\/bin\/python2.7", "_CMDLINE": "\/opt\/datadog-agent\/embedded\/bin\/python \/opt\/datadog-agent\/agent\/agent.py foreground --use-local-forwarder", "_SYSTEMD_CGROUP": "\/system.slice\/datadog-agent.service", "_SYSTEMD_UNIT": "datadog-agent.service", "_SELINUX_CONTEXT": "system_u:system_r:initrc_t:s0", "MESSAGE": "INFO (http_check.py:252): XXXX", "_SOURCE_REALTIME_TIMESTAMP": "1471137964100508" }
$.:
$/:

@rgerhards
Copy link
Member

can you pls do a

$ rsyslogd -v
$ rsyslogd -N1

and post the result.

Note: you may need to add the path to rsyslogd to the command if it is not in your search path (it sometimes is not).

@mostolog
Copy link
Contributor

Why / are escaped?
According to another issue I'm looking at, '' should be escaped, isnt it?

@james-lawrence
Copy link

having the exact same issue using imjournal and trying to access the CEE fields:

# pretty sure these two lines are pointless with imjournal as both %$!% and %jsonmesg% have fully populated contexts?
$ModLoad mmjsonparse
action(type="mmjsonparse")

template(name="ExampleFormat" type="string"
string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %$!PRIORITY% %msg%\n"
)

action(type="omfile" dirCreateMode="0700" FileCreateMode="0644" File="/var/log/rsyslog-debug2.log" Template="ExampleFormat")

output:
<30>0 2016-10-27T15:05:43.881972+00:00 i-8b0ace9d app - <message contents>

if I don't try specifying a path to a particular field, all the fields are output as json:

template(name="ExampleFormat" type="string"
string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %$!% %msg%\n"
)

output:
<30>0 2016-10-27T15:05:43.881972+00:00 i-8b0ace9d app - {...} <message contents>

@rgerhards
Copy link
Member

@james-lawrence I guess the second output part is wrong...

@james-lawrence
Copy link

james-lawrence commented Oct 27, 2016
edited

? in what sense the message looks fine to me. (if you're referring to the {...} that is for brevity, the actual fields are all there, same for the )

@rgerhards
Copy link
Member

@james-lawrence well, the elipsis has actually the information that is interesting ;-)

@james-lawrence
Copy link

ha, I'll get them actual information then. Its pretty much the standard journald data as posted in the original message. Didn't think I'd need to repeat it. =)

@rgerhards
Copy link
Member

I thought something was missing in the original message? :-S

@james-lawrence
Copy link

james-lawrence commented Oct 27, 2016
edited

no we just can't access the fields as my two templates demonstrate.

using the original message example data set:
{ "PRIORITY": "6", "_TRANSPORT": "journal", "_UID": "0", "_GID": "0", "_CAP_EFFECTIVE": "1fffffffff", "_BOOT_ID": "a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252", "SYSLOG_FACILITY": "3", "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0", "CODE_FILE": "src\/core\/job.c", "CODE_LINE": "776", "CODE_FUNCTION": "job_log_status_message", "SYSLOG_IDENTIFIER": "systemd", "MESSAGE_ID": "39f53479d3a045ac8e11786248231fbf", "RESULT": "done", "_PID": "1", "_COMM": "systemd", "_EXE": "\/usr\/lib\/systemd\/systemd", "_CMDLINE": "\/usr\/lib\/systemd\/systemd --switched-root --system --deserialize 20", "_SYSTEMD_CGROUP": "\/", "UNIT": "rsyslog.service", "MESSAGE": "Started System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP": "1471126333489889" }

the first template I try to access the PRIORITY field. i.e. %$!PRIORITY% which as you can clearly see in the dataset it exists with a value of 6. however all I get is an empty string. (i.e. it doesn't find the field?)

in the second template I do not try to get any fields i.e.) %$!% and it returns the entire data set (represented by {...})

according to the documentation I should be able to access nested values with the path seperated by !. which as shown above isn't working.

@rgerhards
Copy link
Member

Which version? I think I remember there were some with variable case
problems.

Sent from phone, thus brief.

Am 27.10.2016 18:38 schrieb "James" notifications@github.com:

no we just can't access the fields as my two templates demonstrate.

using the original message example data set:
{ "PRIORITY": "6", "_TRANSPORT": "journal", "_UID": "0", "_GID": "0",
"_CAP_EFFECTIVE": "1fffffffff", "_BOOT_ID": "
a217099294b3486da01ac733d15ee451", "_MACHINE_ID": "
f32e0af35637b5dfcbedcb0a1de8dca1", "_HOSTNAME": "ip-10-204-26-252",
"SYSLOG_FACILITY": "3", "_SELINUX_CONTEXT": "system_u:system_r:init_t:s0",
"CODE_FILE": "src/core/job.c", "CODE_LINE": "776", "CODE_FUNCTION":
"job_log_status_message", "SYSLOG_IDENTIFIER": "systemd", "MESSAGE_ID": "
39f53479d3a045ac8e11786248231fbf", "RESULT": "done", "_PID": "1",
"_COMM": "systemd", "_EXE": "/usr/lib/systemd/systemd", "_CMDLINE":
"/usr/lib/systemd/systemd --switched-root --system --deserialize 20",
"_SYSTEMD_CGROUP": "/", "UNIT": "rsyslog.service", "MESSAGE": "Started
System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP": "1471126333489889" }

the first template I try to access the PRIORITY field. i.e. %$!PRIORITY%
which as you can clearly see in the dataset it exists with a value of 6.
however all I get is an empty string. (i.e. it doesn't find the field?)

if the second template I do not try to get any fields and it returns the
entire data set (represented by {...})

according to the documentation
http://www.rsyslog.com/doc/v8-stable/rainerscript/variable_property_types.html
I should be able to access nested values with the path seperated by !.
which as shown above isn't working.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#1116 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABadi15vXoLxIPAR8xbH2tycIJwUrwlZks5q4NN6gaJpZM4Jjxai
.

@james-lawrence
Copy link

about 10 versions ago. so relatively old I suppose. I can try a more recent version this weekend maybe? will need to see if there is a update package in some rpm repository.

rsyslogd 8.12.0, compiled with:
    PLATFORM:               x86_64-redhat-linux-gnu
    PLATFORM (lsb_release -d):  
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.
bash: rsyslogd -N1
rsyslogd: version 8.12.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.```

@davidelang
Copy link
Contributor

davidelang commented Oct 27, 2016 via email

@james-lawrence
Copy link

@davidelang, its the first property in $!. I'm just going to see if its fixed in the a newer version if I can find a prebuilt package.
{ "PRIORITY": "6"...}

@rgerhards
Copy link
Member

Go to rsyslog.com to find packages.

Sent from phone, thus brief.

Am 28.10.2016 02:14 schrieb "James" notifications@github.com:

@davidelang https://github.com/davidelang, its the first property in
$!. I'm just going to see if its fixed in the a newer version if I can find
a prebuilt package.
{ "PRIORITY": "6"...}


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#1116 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABadi6vXO6qQOnUsoKlC9xw5uYV0EsJiks5q4T58gaJpZM4Jjxai
.

@mostolog
Copy link
Contributor

I think @rgerhards refers to #962

@mostolog
Copy link
Contributor

mostolog commented Nov 4, 2016

@micahlmartin @james-lawrence Do you still have this issue with 8.22?

@james-lawrence
Copy link

I'll test this weekend.

@james-lawrence
Copy link

james-lawrence commented Nov 6, 2016
edited

update: still broken as far as I can tell. tested on arch linux.
version:

$ rsyslogd -v
rsyslogd 8.22.0, compiled with:
    PLATFORM:               x86_64-unknown-linux-gnu
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      No
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

/etc/rsyslog.conf

# Minimal config

$ModLoad imjournal # provides access to the systemd journal
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf

auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
#cron.*             /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
mail.*              -/var/log/mail.log
user.*              -/var/log/user.log

mail.info           -/var/log/mail.info
mail.warn           -/var/log/mail.warn
mail.err            /var/log/mail.err

news.crit           /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice         -/var/log/news/news.notice

*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

*.emerg             :omusrmsg:*

daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn   |/dev/xconsole

/etc/rsyslog.d/22-debug.conf

template(name="ExampleFormat" type="string"
string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% priority(%$!PRIORITY%) %$!%\n"
)

action(type="omfile" dirCreateMode="0700" FileCreateMode="0644" File="/var/log/rsyslog-debug.log" Template="ExampleFormat")

output in log, expected priority(6) instead we see priority():

<14>0 2016-06-01T09:26:56.870118-04:00 wambli firefox.desktop - priority() { "PRIORITY": "6", "_UID": "1000", "_GID": "1000", "_CAP_EFFECTIVE": "0", "_SYSTEMD_OWNER_UID": "1000", "_SYSTEMD_SLICE": "user-1000.slice", "_BOOT_ID": "54c71a66d00846fe854966e9d1cff6f0", "_MACHINE_ID": "a3e949a1aa69491eb4ff64dbeb50c9a9", "_HOSTNAME": "wambli", "_TRANSPORT": "stdout", "_SYSTEMD_CGROUP": "\/user.slice\/user-1000.slice\/session-c2.scope", "_SYSTEMD_SESSION": "c2", "_SYSTEMD_UNIT": "session-c2.scope", "SYSLOG_IDENTIFIER": "firefox.desktop", "_PID": "1148", "_COMM": "firefox", "_EXE": "\/usr\/lib\/firefox\/firefox", "_CMDLINE": "firefox", "MESSAGE": "(firefox:1148): Gtk-CRITICAL **: gtk_clipboard_set_with_data: assertion 'targets != NULL' failed" }

@mostolog
Copy link
Contributor

mostolog commented Nov 7, 2016

I'm wondering why all properties under $! are uppercased...
Could you also use property jsonmesg in template?
Could you replicate a simpler use-case (file with a few lines) using rsyslogd -d?

@james-lawrence
Copy link

maybe next weekend, jsonmesg iirc gave the exact same output as $!.

@mostolog mostolog mentioned this issue Dec 20, 2016
Closed
@davidelang
Copy link
Contributor

this may be a case squashing problem. I think that rsyslog squashes the case for anything in the config file, and also squashes the case for property names that are parsed via some methods, but not all.

changing things to be case sensitive will break existing configs

I still think it would be useful to have a config option to allow property names to be case sensitive (default off)

the other option is #1282 which would let you lowercase the property names after they have been parsed.

@rgerhards
Copy link
Member

Please note that @portante already did work here: #481 Probably we need to review that discussion (but not before Jan/17 for me).

@bestofmukul
Copy link

bestofmukul commented Mar 29, 2017
edited

Any progress on this issue? It took me a while to figure out this behavior/bug. The workaround I got is to lowercase my message at source, since extracting properties is important for my use case.

@marcbachmann
Copy link

I tried to get it to work with the following config, which didn't work.

# /etc/rsyslog.d/docker.conf
template(name="docker_container_file" type="string" string='/var/log/docker/%$!CONTAINER_TAG%.log')

if ($!CONTAINER_NAME != "") then {
  action(name="docker-containers-combined" type="omfile" file="/var/log/docker/combined.log")
  action(name="docker-containers" type="omfile" dynaFile="docker_container_file")
  stop
}

Then I tried to upgrade to v8.24, where the issue still exists.

$ rsyslogd -v
rsyslogd 8.24.0, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

Could you give any feedback whether it's fixed in v8.30? I saw that you did some refactorings.
I might be able to upgrade to that version.

@davidelang
Copy link
Contributor

davidelang commented Nov 20, 2017 via email

@marcbachmann
Copy link

I applied RSYSLOG_DebugFormat but it didn't show anything special. Everything is upper case. I also tried to use lower case variables but that didn't work either.
Currently I don't have access to the server, so you'll have a few hours until I'm at work again.
I'll also try to get it running with option.casesensitive="on". thanks for that hint.

FYI I'm trying to setup docker log forwarding by using the journald logging driver in docker.
The simplified docker daemon.json config looks like { "log-driver": "journald"}. CONTAINER_TAG is a variable set by the docker journald logging driver.

@davidelang
Copy link
Contributor

davidelang commented Nov 21, 2017 via email

@marcbachmann
Copy link

marcbachmann commented Nov 21, 2017
edited

@davidelang thanks, that helped.
Now all docker logs land in a directory defined by a tag. ❤️
For reference, here's the example output using RSYSLOG_DebugFormat.

Debug line with all properties:
FROMHOST: 'my-host', fromhost-ip: '127.0.0.1', HOSTNAME: 'my-host', PRI: 14,
syslogtag 'journal:', programname: 'journal', APP-NAME: 'journal', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Nov 20 23:30:17', STRUCTURED-DATA: '-',
msg: 'works'
escaped msg: 'works'
inputname: imjournal rawmsg: 'works'
$!:{ "PRIORITY": "6", "_TRANSPORT": "journal", "_UID": "0", "_GID": "0", "_CAP_EFFECTIVE": "1fffffffff", "_BOOT_ID": "b7d76b6088e342b2afde13fb254dd1d8", "_MACHINE_ID": "343233bac42d4e9da55f7890755c6cc4", "_HOSTNAME": "my-host", "_SYSTEMD_SLICE": "system.slice", "_COMM": "dockerd", "_EXE": "\/usr\/bin\/dockerd", "_CMDLINE": "\/usr\/bin\/dockerd", "_SYSTEMD_CGROUP": "\/system.slice\/docker.service", "_SYSTEMD_UNIT": "docker.service", "_SELINUX_CONTEXT": "system_u:system_r:docker_t:s0", "_PID": "31780", "CONTAINER_TAG": "test", "MESSAGE": "works", "CONTAINER_ID": "9eff3db79a85", "CONTAINER_ID_FULL": "9eff3db79a85cf0558904af05d451e2dfbdb42576ce9957e94937235fce4a559", "CONTAINER_NAME": "my-docker-container-name", "_SOURCE_REALTIME_TIMESTAMP": "1511217017582628" }
$.:
$/:

# /etc/docker/daemon.json
{ "log-driver": "journald", "log-opts": {"tag": "{{.Name}}/{{.ID}}"}}

And that's the final working config

# /etc/rsyslog.d/docker_containers.conf
template(name="docker_container_file" type="string" string="/var/log/docker_containers/%$!CONTAINER_TAG%.log" option.casesensitive="on")

if ($!CONTAINER_NAME != "") then {
  action(name="docker-containers-combined" type="omfile" file="/var/log/docker_containers.log")
  action(name="docker-containers" type="omfile" dynaFile="docker_container_file")
  stop
}

Here's the whole config I'm using: https://gist.github.com/marcbachmann/00aca56839d9ba886fce1faf10faa355

@vladcioabatremend vladcioabatremend mentioned this issue May 31, 2018
Closed
@lock
Copy link

lock bot commented Dec 26, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Dec 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
OldVersionOnly
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@micahlmartin @marcbachmann @bestofmukul @rgerhards @davidelang @james-lawrence @mostolog