我们的日志从应用程序发送到在同一主机上运行的 rsyslog。然后,Rsyslog 将消息转发到 Sumo Logic。
我们需要在结构化数据字段中为日志消息添加一些元数据。我们的一些应用程序已经使用结构化数据,因此我们不能简单地替换模板中的结构化数据属性。
此外,%STRUCTURED-DATA% 属性包括开括号和闭括号,所以我们不能只[%STRUCTURED-DATA% newmetadata]在模板中放置类似的内容。
根据财产替代文档,我们的选择是使用FromChar和ToChar或正则表达式。我检查了源代码并确认ToChar不能从末尾向后计数。
我用的是rsyslog 正则表达式工具创建以下模板:
template(name="metadata_syslog" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% [%STRUCTURED-DATA:R,ERE,1,FIELD:\[([^]]*)\]--end% extrafield=value] %msg%\n")
从以下示例事件
<142>1 2016-03-31T17:30:20.007Z some.host.name service/prod/app/foo_v2 - Audit [mdc@xxxxx category="io.service.segment.IndexIO$DefaultIndexIOHandler" thread="foo_v2-incremental-persist"] Processing file[dim_device.drd]
正则表达式工具正确解析了没有括号的结构化数据。
当我在 rsyslog 中使用此模板时,我收到有关 %PRI% 部分(调试输出)的语法错误:
Reading a token: 9936.286569660:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '"' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] 9936.286590559:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '<' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '<' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] 9936.286606008:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '%' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '%' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] Next token is token NAME () 9936.286632522:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: syntax error on token 'PRI' rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: syntax error on token 'PRI' [v8.17.0 try http://www.rsyslog.com/e/2207 ] Error: popping token '=' () Stack now 0 1 5 28 52 Error: popping token NAME () Stack now 0 1 5 28 Error: popping nterm nvlst () Stack now 0 1 5 Error: popping token BEGIN_TPL () Stack now 0 1 Error: popping nterm conf () Stack now 0 Cleanup: discarding lookahead token NAME () Stack now 0 9936.286780810:main thread : Called LogMsg, msg: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.17.0 try http://www.rsyslog.com/e/2207 ]
答案1
使用 Rainerscript 语法进行配置时,正则表达式需要根据此进行更多转义rainerscript 常量字符串转义工具。
以下模板有效:
template(name="metadata_syslog" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% [%STRUCTURED-DATA:R,ERE,1,FIELD:\\[([^]]*)\\]--end% extrafield=value] %msg%\n")