最近我修补了我的系统,安装的 rsyslog 版本从 8.10 更改为 8.17。不知何故,这次更新破坏了我的所有模板。我的自定义属性不再被识别(例如 Mark、Flag、Windowsize 等)。以下是一个例子:
template(name="FWToJSON-TCP" type="list") {
constant(value="{")
constant(value="\"TimeStamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",")
constant(value="\"Mark\":\"") property(name="$!Mark" format="json") constant(value="\",")
constant(value="\"UrgentFlag\":\"") property(name="!UrgentFlag" format="json") constant(value="\",")
constant(value="\"Flag\":\"") property(name="$!Flag" format="json") constant(value="\",")
constant(value="\"WindowSize\":\"") property(name="$!WindowSize" format="json") constant(value="\",")
constant(value="\"AckNumber\":\"") property(name="$!AckNumber" format="json") constant(value="\",")
constant(value="\"SequenceNumber\":\"") property(name="$!SequenceNumber" format="json") constant(value="\",")
constant(value="\"DestinationPort\":\"") property(name="$!DestinationPort" format="json") constant(value="\",")
constant(value="\"SourcePort\":\"") property(name="$!SourcePort" format="json") constant(value="\",")
constant(value="\"Protocol\":\"") property(name="$!Protocol" format="json") constant(value="\",")
constant(value="\"FragmentFlag\":\"") property(name="$!FragmentFlag" format="json") constant(value="\",")
constant(value="\"ID\":\"") property(name="$!ID" format="json") constant(value="\",")
constant(value="\"TTL\":\"") property(name="$!TTL" format="json") constant(value="\",")
constant(value="\"Precedence\":\"") property(name="$!Precedence" format="json") constant(value="\",")
constant(value="\"TypeOfService\":\"") property(name="$!TypeOfService" format="json") constant(value="\",")
constant(value="\"Length\":\"") property(name="$!Length" format="json") constant(value="\",")
constant(value="\"DestinationIP\":\"") property(name="$!DestinationIP" format="json") constant(value="\",")
constant(value="\"SourceIP\":\"") property(name="!$SourceIP" format="json") constant(value="\",")
constant(value="\"OutputDevice\":\"") property(name="$!OutputDevice" format="json") constant(value="\",")
constant(value="\"InputDevice\":\"") property(name="$!InputDevice" format="json") constant(value="\",")
constant(value="\"Prefix\":\"") property(name="$!Prefix" format="json") constant(value="\",")
constant(value="\"Policy\":\"") property(name="$!Policy" format="json") constant(value="\",")
constant(value="\"Chain\":\"") property(name="$!Chain" format="json") constant(value="\",")
constant(value="\"FW\":\"") property(name="$!FW" format="json") constant(value="\",")
constant(value="\"Message\":\"") property(name="msg" format="json") constant(value="\"")
constant(value="}")
}
日志通过 mmnormalize 模块进行规范化,并且看起来仍然有效。有人知道如何让这些模板再次工作吗?