最近我修补了我的系统,安装的rsyslog版本从8.10改为8.17。 不知何故,这个更新打破了我所有的模板 我的自定义属性不再被识别(例如Mark,Flag,Windowsize等)。 这里是一个例子:
template(name="FWToJSON-TCP" type="list") { constant(value="{") constant(value="\"TimeStamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",") constant(value="\"Mark\":\"") property(name="$!Mark" format="json") constant(value="\",") constant(value="\"UrgentFlag\":\"") property(name="!UrgentFlag" format="json") constant(value="\",") constant(value="\"Flag\":\"") property(name="$!Flag" format="json") constant(value="\",") constant(value="\"WindowSize\":\"") property(name="$!WindowSize" format="json") constant(value="\",") constant(value="\"AckNumber\":\"") property(name="$!AckNumber" format="json") constant(value="\",") constant(value="\"SequenceNumber\":\"") property(name="$!SequenceNumber" format="json") constant(value="\",") constant(value="\"DestinationPort\":\"") property(name="$!DestinationPort" format="json") constant(value="\",") constant(value="\"SourcePort\":\"") property(name="$!SourcePort" format="json") constant(value="\",") constant(value="\"Protocol\":\"") property(name="$!Protocol" format="json") constant(value="\",") constant(value="\"FragmentFlag\":\"") property(name="$!FragmentFlag" format="json") constant(value="\",") constant(value="\"ID\":\"") property(name="$!ID" format="json") constant(value="\",") constant(value="\"TTL\":\"") property(name="$!TTL" format="json") constant(value="\",") constant(value="\"Precedence\":\"") property(name="$!Precedence" format="json") constant(value="\",") constant(value="\"TypeOfService\":\"") property(name="$!TypeOfService" format="json") constant(value="\",") constant(value="\"Length\":\"") property(name="$!Length" format="json") constant(value="\",") constant(value="\"DestinationIP\":\"") property(name="$!DestinationIP" format="json") constant(value="\",") constant(value="\"SourceIP\":\"") property(name="!$SourceIP" format="json") constant(value="\",") constant(value="\"OutputDevice\":\"") property(name="$!OutputDevice" format="json") constant(value="\",") constant(value="\"InputDevice\":\"") property(name="$!InputDevice" format="json") constant(value="\",") constant(value="\"Prefix\":\"") property(name="$!Prefix" format="json") constant(value="\",") constant(value="\"Policy\":\"") property(name="$!Policy" format="json") constant(value="\",") constant(value="\"Chain\":\"") property(name="$!Chain" format="json") constant(value="\",") constant(value="\"FW\":\"") property(name="$!FW" format="json") constant(value="\",") constant(value="\"Message\":\"") property(name="msg" format="json") constant(value="\"") constant(value="}") } 日志通过mmnormalize模块进行了规范化,并且仍然可以正常工作。 有谁知道如何让这些模板再次工作?