我们的日志从我们的应用程序发送到在同一主机上运行的rsyslog。 然后Rsyslog将消息转发给Sumo Logic。
我们需要在结构化数据字段中添加一些元数据到我们的日志消息中。 我们的一些应用程序已经使用结构化数据,所以我们不能简单地replace模板中的结构化数据属性。
另外,%STRUCTURED-DATA%属性包含了开始和结束括号,所以我们不能只在模板中join类似[%STRUCTURED-DATA% newmetadata]的东西。
根据财产替代文件 ,我们的select是使用FromChar和ToChar或正则expression式。 我查了一下资料来源,证实ToChar不能倒数。
我使用rsyslog正则expression式工具来创build以下模板:
template(name="metadata_syslog" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% [%STRUCTURED-DATA:R,ERE,1,FIELD:\[([^]]*)\]--end% extrafield=value] %msg%\n")
从以下示例事件
<142>1 2016-03-31T17:30:20.007Z some.host.name service/prod/app/foo_v2 - Audit [mdc@xxxxx category="io.service.segment.IndexIO$DefaultIndexIOHandler" thread="foo_v2-incremental-persist"] Processing file[dim_device.drd]
正则expression式工具正确地parsing出没有括号的结构化数据。
当我在rsyslog中使用这个模板时,我得到关于%PRI%部分(debugging输出)的语法错误:
Reading a token: 9936.286569660:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '"' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] 9936.286590559:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '<' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '<' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] 9936.286606008:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '%' in object definition - is there an invalid escape sequence somewhere? rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: invalid character '%' in object definition - is there an invalid escape sequence somewhere? [v8.17.0 try http://www.rsyslog.com/e/2207 ] Next token is token NAME () 9936.286632522:main thread : Called LogMsg, msg: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: syntax error on token 'PRI' rsyslogd: error during parsing file /etc/rsyslog.d/21-logging.conf, on or before line 4: syntax error on token 'PRI' [v8.17.0 try http://www.rsyslog.com/e/2207 ] Error: popping token '=' () Stack now 0 1 5 28 52 Error: popping token NAME () Stack now 0 1 5 28 Error: popping nterm nvlst () Stack now 0 1 5 Error: popping token BEGIN_TPL () Stack now 0 1 Error: popping nterm conf () Stack now 0 Cleanup: discarding lookahead token NAME () Stack now 0 9936.286780810:main thread : Called LogMsg, msg: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.17.0 try http://www.rsyslog.com/e/2207 ]
当使用Rainerscript语法进行configuration时,根据这个rainerscript常量string转义工具 ,正则expression式需要更多的转义。
以下模板起作用:
template(name="metadata_syslog" type="string" string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% [%STRUCTURED-DATA:R,ERE,1,FIELD:\\[([^]]*)\\]--end% extrafield=value] %msg%\n")