我的 Rsyslog 配置如下所示:
template(name="extract" type="string" string="%msg:R:/(?:"(level)":")((\\"|
[^"])*)"/g–end%")
if $InputFileTag == 'esblog' then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
template(name="json_lines" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"") property(name="hostname")
constant(value="\",\"json.level\":\"") property(name="$!level" format="json")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"tag\":\"") property(name="syslogtag" format="json")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}")
}
基本上,如果源标签是 esblog,我想使用这个正则表达式,从“extract”中提取日志消息的严重性。否则我想使用默认的严重性。然后在 json.level 标签内使用该变量,这样我在传出消息上只需要一个模板。但还没有运气让它发挥作用。
使用正则表达式的示例消息:https://regex101.com/r/lN4tD4/1
错误日志
0341.407068000:main thread : error: can not find regex end in: '(?:"level":")(\"|[^"]*)"–end%'
0341.407084000:main thread : PROP_INVALID for name ''
0341.407097000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: invalid property ''
0341.407195000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: error processing template object
0341.407350000:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 33: exec_template(): template 'extract'
最佳答案
正则表达式只需要更改。
template(name="extract" type="string" string="%msg:R,ERE,2,DFLT:(\"level\":\")(\\\"|[^\"]*)\"--end%")
if $programname contains "esb-log" then {
set $!level = exec_template("extract");
} else {
set $!level = $syslogseverity-text;
}
在线 Rsyslog 正则表达式工具:http://www.rsyslog.com/regex/
关于linux - 动态 Rsyslog 模板,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36896635/