rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-19 23:10:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

add a new and some old, so far forgotten, properties

Browse Source
This commit is contained in:
Rainer Gerhards 2007-06-15 12:39:38 +00:00
parent 6ae61a905a
commit 89943ed274
1 changed files with 110 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
doc/property_replacer.html
View File

@ -1,98 +1,110 @@
<html>
<head>
<title>The Rsyslogd Property Replacer</title>
</head>
<body>
<h1>The Property Replacer</h1>
<p><b>The property replacer is a core component in rsyslogd's output system.</b>
A syslog message has a number of well-defined properties (see below). Each of
this properties can be accessed <b>and</b> manipulated by the property replacer.
With it, it is easy to use only part of a property value or manipulate the value,
e.g. by converting all characters to lower case.</p>
<h1>Accessing Properties</h1>
<p>Syslog message properties are used inside templates. They are accessed by putting them between percent signs. Properties can be modified by
the property replacer. The full syntax is as follows:</p>
<blockquote><b><code>%propname:fromChar:toChar:options%</code></b></blockquote>
<h2>Available Properties</h2>
<p><b><code>propname</code></b> is the name of the property to access. It is case-sensitive.
Currently supported are:</p>
<table>
<tr><td><b>msg</b></td><td>the MSG part of the message (aka &quot;the message&quot; ;))</td></tr>
<tr><td><b>rawmsg</b></td><td>the message excactly as it was received from the
socket. Should be useful for debugging.</td></tr>
<tr><td><b>UxTradMsg</b></td><td>will disappear soon - do NOT use!</td></tr>
<tr><td><b>HOSTNAME</b></td><td>hostname from the message</td></tr>
<tr><td><b>source</b></td><td>alias for HOSTNAME</td></tr>
<tr><td><b>FROMHOST</b></td><td>hostname of the system the message was received
from (in a relay chain, this is the system immediately in front of us and
not necessarily the original sender)</td></tr>
<tr><td><b>syslogtag</b></td><td>TAG from the message</td></tr>
<tr><td><b>programname</b></td><td>the &quot;static&quot; part of the tag, as defined by
BSD syslogd. For example, when TAG is "named[12345]", programname is "named".</td></tr>
<tr><td><b>PRI</b></td><td>PRI part of the message - undecoded (single value)</td></tr>
<tr><td><b>IUT</b></td><td>the monitorware InfoUnitType - used when talking
to a <a href="http://www.monitorware.com">MonitorWare</a> backend (also for
<a href="http://www.phplogcon.org/">phpLogCon</a>)</td></tr>
<tr><td><b>syslogfacility</b></td><td>the facility from the message - in numerical form</td></tr>
<tr><td><b>syslogpriority</b></td><td>the priority (actully severity!) from the
message - in numerical form</td></tr>
<tr><td><b>timegenerated</b></td><td>timestamp when the message was RECEIVED. Always in
high resolution</td></tr>
<tr><td><b>timereported</b></td><td>timestamp from the message. Resolution depends on
what was provided in the message (in most cases,
only seconds)</td></tr>
<tr><td><b>TIMESTAMP</b></td><td>alias for timereported</td></tr>
</table>
<h2>Character Positions</h2>
<p><b><code>FromChar</code></b> and <b><code>toChar</code></b> are used to build substrings. They specify the offset within
the string that should be copied. Offset counting starts at 1, so if you need to
obtain the first 2 characters of the message text, you can use this syntax:
&quot;%msg:1:2%&quot;. If you do not whish to specify from and to, but you want to specify
options, you still need to include the colons. For example, if you would like to
convert the full message text to lower case, use &quot;%msg:::lowercase%&quot;.
If you would like to extract from a position until the end of the string, you
can place a dollar-sign (&quot;$&quot;) in toChar (e.g. %msg:10:$%, which will extract
from position 10 to the end of the string).<p>
There is also support for <b>regular expressions</b>. To use them, you need to
place a &quot;R&quot; into FromChar. This tells rsyslog that a regular expression instead
of position-based extraction is desired. The actual regular expression must then
be provided in toChar. The regular expression <b>must</b> be followed by the
string &quot;--end&quot;. It denotes the end of the regular expression and will not become
part of it. If you are using regular expressions, the property replacer will
return the part of the property text that matches the regular expression. An
example for a property replacer sequence with a regular expression is: &quot;%msg:R:.*Sev:.
\(.*\) \[.*--end%&quot;<br>
<p>
<b>Also, extraction can be done based on so-called &quot;fields&quot;</b>. To do so, place a &quot;F&quot; into FromChar. A field in its current definition is anything that is delimited by a delimiter character. The delimiter by default is TAB (US-ASCII value 9).
However, if can be changed to any other US-ASCII character by specifying a comma
and teh <b>decimal</b> US-ASCII value of the delimiter immediately after the
&quot;F&quot;. For example, to use comma (&quot;,&quot;) as a delimiter, use this field specifier:
&quot;F,44&quot;.&nbsp; If your syslog data is delimited, this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field counting starts at 1. Field zero is accepted, but will always lead to a &quot;field not found&quot; error. The same happens if a field number higher than the number of fields in the property is requested. The field number must be placed in the &quot;ToChar&quot; parameter. An example where the 3rd field
(delimited by TAB) from the msg property is extracted is as follows: &quot;%msg:F:3%&quot;. The same
example with semicolon as delimiter is &quot;%msg:F,59:3%&quot;.<p>
Please note that the special characters &quot;F&quot; and &quot;R&quot; are case-sensitive. Only upper case works, lower case will return an error. There are no white spaces
permitted inside the sequence (that will lead to error messages and will NOT
provide the intended result).<br>
<h2>Property Options</h2>
<b><code>property options</code></b> are case-insensitive. Currently, the following options
are defined:</p>
<table>
<tr><td><b>uppercase</b></td><td>convert property to lowercase only</td></tr>
<tr><td><b>lowercase</b></td><td>convert property text to uppercase only</td></tr>
<tr><td><b>drop-last-lf</b></td><td>The last LF in the message (if any), is dropped.
Especially useful for PIX.</td></tr>
<tr><td><b>date-mysql</b></td><td>format as mysql date</td></tr>
<tr><td><b>date-rfc3164</b></td><td>format as RFC 3164 date</td></tr>
<tr><td><b>date-rfc3339</b></td><td>format as RFC 3339 date</td></tr>
<tr><td><b>escape-cc</b></td><td>replace control characters (ASCII value 127 and
values less then 32) with an escape sequence. The sequnce is &quot;#&lt;charval&gt;&quot;
where charval is the 3-digit decimal value of the control character. For
example, a tabulator would be replaced by &quot;#009&quot;.</td></tr>
<tr><td><b>space-cc</b></td><td>replace control characters by spaces</td></tr>
<tr><td><b>drop-cc</b></td><td>drop control characters - the resulting string
will neither contain control characters, escape sequences nor any other
replacement character like space.</td></tr>
</table>
</body>
</html>
<html>
<head>
<title>The Rsyslogd Property Replacer</title>
</head>
<body>
<h1>The Property Replacer</h1>
<p><b>The property replacer is a core component in rsyslogd's output system.</b>
A syslog message has a number of well-defined properties (see below). Each of
this properties can be accessed <b>and</b> manipulated by the property replacer.
With it, it is easy to use only part of a property value or manipulate the value,
e.g. by converting all characters to lower case.</p>
<h1>Accessing Properties</h1>
<p>Syslog message properties are used inside templates. They are accessed by putting them between percent signs. Properties can be modified by
the property replacer. The full syntax is as follows:</p>
<blockquote><b><code>%propname:fromChar:toChar:options%</code></b></blockquote>
<h2>Available Properties</h2>
<p><b><code>propname</code></b> is the name of the property to access. It is case-sensitive.
Currently supported are:</p>
<table>
<tr><td><b>msg</b></td><td>the MSG part of the message (aka &quot;the message&quot; ;))</td></tr>
<tr><td><b>rawmsg</b></td><td>the message excactly as it was received from the
socket. Should be useful for debugging.</td></tr>
<tr><td><b>UxTradMsg</b></td><td>will disappear soon - do NOT use!</td></tr>
<tr><td><b>HOSTNAME</b></td><td>hostname from the message</td></tr>
<tr><td><b>source</b></td><td>alias for HOSTNAME</td></tr>
<tr><td><b>FROMHOST</b></td><td>hostname of the system the message was received
from (in a relay chain, this is the system immediately in front of us and
not necessarily the original sender)</td></tr>
<tr><td><b>syslogtag</b></td><td>TAG from the message</td></tr>
<tr><td><b>programname</b></td><td>the &quot;static&quot; part of the tag, as defined by
BSD syslogd. For example, when TAG is "named[12345]", programname is "named".</td></tr>
<tr><td><b>PRI</b></td><td>PRI part of the message - undecoded (single value)</td></tr>
<tr><td><b>PRI-text</b></td><td>the PRI part of the message in a textual form
(e.g. &quot;syslog.info&quot;)</td></tr>
<tr><td><b>IUT</b></td><td>the monitorware InfoUnitType - used when talking
to a <a href="http://www.monitorware.com">MonitorWare</a> backend (also for
<a href="http://www.phplogcon.org/">phpLogCon</a>)</td></tr>
<tr><td><b>syslogfacility</b></td><td>the facility from the message - in numerical form</td></tr>
<tr><td><b>syslogpriority</b></td><td>the priority (actully severity!) from the
message - in numerical form</td></tr>
<tr><td><b>timegenerated</b></td><td>timestamp when the message was RECEIVED. Always in
high resolution</td></tr>
<tr><td><b>timereported</b></td><td>timestamp from the message. Resolution depends on
what was provided in the message (in most cases,
only seconds)</td></tr>
<tr><td><b>TIMESTAMP</b></td><td>alias for timereported</td></tr>
<tr><td><b>PROTOCOL-VERSION</b></td><td>The contents of the PROTCOL-VERSION
field from IETF draft draft-ietf-syslog-protcol</td></tr>
<tr><td><b>STRUCTURED-DATA</b></td><td>The contents of the STRUCTURED-DATA field
from IETF draft draft-ietf-syslog-protocol</td></tr>
<tr><td><b>APP-NAME</b></td><td>The contents of the APP-NAME field from IETF
draft draft-ietf-syslog-protocol</td></tr>
<tr><td><b>PROCID</b></td><td>The contents of the PROCID field from IETF draft
draft-ietf-syslog-protocol</td></tr>
<tr><td><b>MSGID</b></td><td>The contents of the MSGID field from IETF draft
draft-ietf-syslog-protocol</td></tr>
</table>
<h2>Character Positions</h2>
<p><b><code>FromChar</code></b> and <b><code>toChar</code></b> are used to build substrings. They specify the offset within
the string that should be copied. Offset counting starts at 1, so if you need to
obtain the first 2 characters of the message text, you can use this syntax:
&quot;%msg:1:2%&quot;. If you do not whish to specify from and to, but you want to specify
options, you still need to include the colons. For example, if you would like to
convert the full message text to lower case, use &quot;%msg:::lowercase%&quot;.
If you would like to extract from a position until the end of the string, you
can place a dollar-sign (&quot;$&quot;) in toChar (e.g. %msg:10:$%, which will extract
from position 10 to the end of the string).<p>
There is also support for <b>regular expressions</b>. To use them, you need to
place a &quot;R&quot; into FromChar. This tells rsyslog that a regular expression instead
of position-based extraction is desired. The actual regular expression must then
be provided in toChar. The regular expression <b>must</b> be followed by the
string &quot;--end&quot;. It denotes the end of the regular expression and will not become
part of it. If you are using regular expressions, the property replacer will
return the part of the property text that matches the regular expression. An
example for a property replacer sequence with a regular expression is: &quot;%msg:R:.*Sev:.
\(.*\) \[.*--end%&quot;<br>
<p>
<b>Also, extraction can be done based on so-called &quot;fields&quot;</b>. To do so, place a &quot;F&quot; into FromChar. A field in its current definition is anything that is delimited by a delimiter character. The delimiter by default is TAB (US-ASCII value 9).
However, if can be changed to any other US-ASCII character by specifying a comma
and teh <b>decimal</b> US-ASCII value of the delimiter immediately after the
&quot;F&quot;. For example, to use comma (&quot;,&quot;) as a delimiter, use this field specifier:
&quot;F,44&quot;.&nbsp; If your syslog data is delimited, this is a quicker way to extract than via regular expressions (actually, a *much* quicker way). Field counting starts at 1. Field zero is accepted, but will always lead to a &quot;field not found&quot; error. The same happens if a field number higher than the number of fields in the property is requested. The field number must be placed in the &quot;ToChar&quot; parameter. An example where the 3rd field
(delimited by TAB) from the msg property is extracted is as follows: &quot;%msg:F:3%&quot;. The same
example with semicolon as delimiter is &quot;%msg:F,59:3%&quot;.<p>
Please note that the special characters &quot;F&quot; and &quot;R&quot; are case-sensitive. Only upper case works, lower case will return an error. There are no white spaces
permitted inside the sequence (that will lead to error messages and will NOT
provide the intended result).<br>
<h2>Property Options</h2>
<b><code>property options</code></b> are case-insensitive. Currently, the following options
are defined:</p>
<table>
<tr><td><b>uppercase</b></td><td>convert property to lowercase only</td></tr>
<tr><td><b>lowercase</b></td><td>convert property text to uppercase only</td></tr>
<tr><td><b>drop-last-lf</b></td><td>The last LF in the message (if any), is dropped.
Especially useful for PIX.</td></tr>
<tr><td><b>date-mysql</b></td><td>format as mysql date</td></tr>
<tr><td><b>date-rfc3164</b></td><td>format as RFC 3164 date</td></tr>
<tr><td><b>date-rfc3339</b></td><td>format as RFC 3339 date</td></tr>
<tr><td><b>escape-cc</b></td><td>replace control characters (ASCII value 127 and
values less then 32) with an escape sequence. The sequnce is &quot;#&lt;charval&gt;&quot;
where charval is the 3-digit decimal value of the control character. For
example, a tabulator would be replaced by &quot;#009&quot;.</td></tr>
<tr><td><b>space-cc</b></td><td>replace control characters by spaces</td></tr>
<tr><td><b>drop-cc</b></td><td>drop control characters - the resulting string
will neither contain control characters, escape sequences nor any other
replacement character like space.</td></tr>
</table>
</body>
</html>