YB
Uploaded byYury Bushmelev
PDF, PPTX598 views

rsyslog v8: more than just syslog!

rsyslog v8 provides more capabilities than just basic syslog functionality. It can parse, modify, and convert log messages to JSON before sending them to ElasticSearch for storage and analysis. It supports reliable delivery with RELP, metrics collection, lookup tables, and runtime control through a control socket. Rsyslog provides powerful configuration options through RainerScript for flexible parsing, modification, and routing of log messages.

Embed presentation

Download as PDF, PPTX
rsyslog v8:
 more than just syslog! Yury Bushmelev Lazada
what people usually think rsyslog is /dev/log udp:514 some magic /var/log/some.log remote udp:514
what rsyslog says it is
"some magic" queue input pre- processor action queue parser
 & filter action processor output input input action queue action queue action processor action processor output output ruleset
rulesets input(...) input(...) if ($syslogtag == "prog1") then { action(...) } else { action(...) } input(... ruleset="rules1") input(... ruleset="rules2") ruleset(name="rules1") { action(...) } ruleset(name="rules2") { action(...) }
configuration formats • basic AKA sysklogd (*.* /var/log/file.log) – still OK in simple cases • obsolete legacy ($UglyScaryThings everywhere) – Do not use it at all! "It will make your life miserable" © Rainer Gerhards • advanced AKA RainerScript – new (2010) readable configuration language
queues • most confusing part of rsyslog configuration
queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue
queues • most confusing part of rsyslog configuration • 2 places • ruleset queue • action queue • 4 modes • direct (AKA no queue, sync) • in-memory • on-disk • disk-assisted (DA, in-memory + on-disk)
queues and performance • try to increase ruleset queue workers number first • action queue is mostly about string building • for fast action (omfile) thread syncing overhead may be significant • for single-action ruleset everything is complicated... • read more details in Rainer's blog: http:// blog.gerhards.net/2013/06/rsyslog-performance-main- and-action.html
– ELK? • read log messages from file/network • parse • modify • convert to JSON • send to ElasticSearch
– ERK! • read log messages from file/network (inputs) • parse (builtin parser/RainerScript/mm* modules) • modify (RainerScript/mm* modules/templates) • convert to JSON (templates) • send to ElasticSearch (omelasticsearch)
parse (mmnormalize) • "mmnormalize" is unique feature of rsyslog based on liblognorm library which... • ... is amazingly fast • ... because it's using parse tree (not regexp/grok) • ... may try multiple rules for same message (first win) • ... have some documentation:
 http://www.liblognorm.com/files/manual/index.html
liblognorm rules version=2 rule=v0:MyAuthAPI: Invalid user %user:word% from %src-ip:ipv4% rule=v1:MyAuthAPI[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4%
modify/send as JSON v1 template(name="tmpl_to_json_v1" type="string" string="%$!all-json%") template(name="timereported_rfc3339" type="string" string="%timereported:::date-rfc3339%") ruleset(name="test") { action(type="mmjsonparse") set $!_log_time = exec_template("timereported_rfc3339"); set $!_log_tag = $!tag; unset $!tag; ... action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v1" ...) }
modify/send as JSON v2 template(name="tmpl_to_json_v2" type="list" option.json="on") { constant(value="{") property(outname="_log_time" name="timereported" dateFormat="rfc3339" format="jsonf") constant(value=",") property(outname="_log_tag" name="tag" format="jsonf") constant(value=",") property(outname="message" name="msg" dropLastLF="on" format="jsonf") constant(value="}") } ruleset(name="test") { action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v2" ...) }
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well
reliable delivery • message will be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well • ... but it's single-threaded :(
metrics (impstats) { "name": "global", "origin": "dynstats", "values": { } } { "name": "imuxsock", "origin": "imuxsock", "submitted": 3612711, "ratelimit.discarded": 0, "ratelimit.numratelimiters": 0 } { "name": "action 0", "origin": "core.action", "processed": 33429, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 } { "name": "resource-usage", "origin": "impstats", "utime": 290424444, "stime": 314385112, "maxrss": 3176, "minflt": 509, "majflt": 105, "inblock": 5920, "oublock": 11030360, "nvcsw": 7281385, "nivcsw": 7506 } { "name": "main Q", "origin": "core.queue", "size": 0, "enqueued": 3612765, "full": 0, "discarded.full": 0, "discarded.nf": 0, "maxqsize": 30 } • read more here: https://www.rsyslog.com/doc/v8-stable/configuration/ rsyslog_statistic_counter.html
metrics (dyn_stats) dyn_stats(name="msg_per_host" resettable="on" maxCardinality="3000" unusedMetricLife="600") set $.inc = dyn_inc("msg_per_host", $hostname); # impstats output # { "name": "msg_per_host", "origin": "dynstats.bucket", "values": { "lab3.sgdc": 1002540, "lab4.sgdc": 1318551, "lab7.sgdc": 1788136} }
lookup tables { "version" : 1, "nomatch" : "unknown", "type" : "string", "table" : [ {"index" : "10.0.1.1", "value" : "A" }, {"index" : "10.0.1.2", "value" : "A" }, {"index" : "10.0.1.3", "value" : "A" }, {"index" : "10.0.2.1", "value" : "B" }, {"index" : "10.0.2.2", "value" : "B" }, {"index" : "10.0.2.3", "value" : "B" }]}
lookup tables lookup_table(name="host_bu" file="/var/lib/host_billing_unit_mapping.json" reloadOnHUP="on" ) set $.bu = lookup("host_bu", $hostname); if ($.bu != "unknown") then { ... } # Go to "bu_A"/"bu_B"/"bu_unknown" ruleset: # call_indirect "bu_" & $.bu;
lookup tables if ($.do_reload == "y") then { reload_lookup_table("host_bu", "unknown") }
runtime control input(type="imuxsock" socket="/run/rsyslog-control.sock" ruleset="control") ruleset(name="control") { if ($msg == "reload bu") then { reload_lookup_table("host_bu", "unknown") } else if ($msg == "run cmd") then { action(type="omprog" binary="/path/to/script.sh") } else { action(type="omfile" file="/var/log/rsyslog-control.log") } }
any questions? • Yury Bushmelev • https://twitter.com/Jay7t • https://github.com/jay7x

More Related Content

PPT
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
byasync_io
 
PDF
Mongodb debugging-performance-problems
byMongoDB
 
PDF
Zabbix LLD from a C Module by Jan-Piet Mens
byNETWAYS
 
PDF
Jakarta Commons - Don't re-invent the wheel
bytcurdt
 
PPTX
Building Your First Data Science Applicatino in MongoDB
byMongoDB
 
PDF
No dark magic - Byte code engineering in the real world
bytcurdt
 
ODP
Intravert Server side processing for Cassandra
byEdward Capriolo
 
PPTX
Nantes Jug - Java 7
bySébastien Prunier
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
byasync_io
 
Mongodb debugging-performance-problems
byMongoDB
 
Zabbix LLD from a C Module by Jan-Piet Mens
byNETWAYS
 
Jakarta Commons - Don't re-invent the wheel
bytcurdt
 
Building Your First Data Science Applicatino in MongoDB
byMongoDB
 
No dark magic - Byte code engineering in the real world
bytcurdt
 
Intravert Server side processing for Cassandra
byEdward Capriolo
 
Nantes Jug - Java 7
bySébastien Prunier
 

What's hot

PPTX
The Art of JVM Profiling
byAndrei Pangin
 
PDF
Oredev 2015 - Taming Java Agents
byAnton Arhipov
 
PDF
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
bytamtam180
 
KEY
Node.js - Best practices
byFelix Geisendörfer
 
PDF
The Rule of 10,000 Spark Jobs: Learning From Exceptions and Serializing Your ...
byDatabricks
 
PPTX
The Rule of 10,000 Spark Jobs - Learning from Exceptions and Serializing Your...
byMatthew Tovbin
 
PPTX
Do we need Unsafe in Java?
byAndrei Pangin
 
PDF
Riga Dev Day 2016 - Having fun with Javassist
byAnton Arhipov
 
PDF
Solr Anti-Patterns: Presented by Rafał Kuć, Sematext
byLucidworks
 
PDF
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
PPTX
Mug17 gurgaon
byAnkur Raina
 
PDF
Nodejs - A quick tour (v6)
byFelix Geisendörfer
 
PPTX
What’s new in C# 6
byFiyaz Hasan
 
PDF
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy
byYusuke Yamamoto
 
PDF
Real World Mocking In Swift
byVeronica Lillie
 
PDF
Understanding Source Code Differences by Separating Refactoring Effects
byInstitute of Science Tokyo
 
PDF
Hacking Mac OSX Cocoa API from Perl
bytypester
 
PDF
ニコニコ動画を検索可能にしてみよう
bygenta kaneyama
 
PDF
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
byikikko
 
PDF
MongoDB World 2016: Deciphering .explain() Output
byMongoDB
 
The Art of JVM Profiling
byAndrei Pangin
 
Oredev 2015 - Taming Java Agents
byAnton Arhipov
 
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門
bytamtam180
 
Node.js - Best practices
byFelix Geisendörfer
 
The Rule of 10,000 Spark Jobs: Learning From Exceptions and Serializing Your ...
byDatabricks
 
The Rule of 10,000 Spark Jobs - Learning from Exceptions and Serializing Your...
byMatthew Tovbin
 
Do we need Unsafe in Java?
byAndrei Pangin
 
Riga Dev Day 2016 - Having fun with Javassist
byAnton Arhipov
 
Solr Anti-Patterns: Presented by Rafał Kuć, Sematext
byLucidworks
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
Mug17 gurgaon
byAnkur Raina
 
Nodejs - A quick tour (v6)
byFelix Geisendörfer
 
What’s new in C# 6
byFiyaz Hasan
 
スローダウン、ハングを一発解決 スレッドダンプはトラブルシューティングの味方 #wlstudy
byYusuke Yamamoto
 
Real World Mocking In Swift
byVeronica Lillie
 
Understanding Source Code Differences by Separating Refactoring Effects
byInstitute of Science Tokyo
 
Hacking Mac OSX Cocoa API from Perl
bytypester
 
ニコニコ動画を検索可能にしてみよう
bygenta kaneyama
 
Jenkins 2を使った究極のpipeline ~ 明日もう一度来てください、本物のpipelineをお見せしますよ ~
byikikko
 
MongoDB World 2016: Deciphering .explain() Output
byMongoDB
 

Similar to rsyslog v8: more than just syslog!

PDF
Large Scale Log Analytics with Solr: Presented by Rafał Kuć & Radu Gheorghe, ...
byLucidworks
 
PPT
ELK stack at weibo.com
by琛琳 饶
 
PDF
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
bySematext Group, Inc.
 
PPTX
Tuning Elasticsearch Indexing Pipeline for Logs
bySematext Group, Inc.
 
ODP
Fedora Developer's Conference 2014 Talk
byRainer Gerhards
 
PPT
Logstash
by琛琳 饶
 
PDF
OpenStack Log Mining
byJohn Stanford
 
KEY
Message:Passing - lpw 2012
byTomas Doran
 
ODP
RSYSLOG v8 improvements and how to write plugins in any language.
byRainer Gerhards
 
PDF
Brisbane DevOps Meetup - Logstash
bypczarkowski
 
KEY
London devops logging
byTomas Doran
 
ODP
Rsyslog log normalization
byRainer Gerhards
 
ODP
rsyslog meets docker
byRainer Gerhards
 
PDF
Application Logging in the 21st century - 2014.key
byTim Bunce
 
ODP
Turbo charge your logs
byJeremy Cook
 
PDF
From logs to metrics
byLeonardo Di Donato
 
PPTX
Syslog.pptx
byShanmugapriyaSenthil3
 
KEY
Messaging, interoperability and log aggregation - a new framework
byTomas Doran
 
PDF
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
byInfluxData
 
PDF
OSMC 2025: Easy logging refinement with FlowG by David Delassus.pdf
byNETWAYS
 
Large Scale Log Analytics with Solr: Presented by Rafał Kuć & Radu Gheorghe, ...
byLucidworks
 
ELK stack at weibo.com
by琛琳 饶
 
Large Scale Log Analytics with Solr (from Lucene Revolution 2015)
bySematext Group, Inc.
 
Tuning Elasticsearch Indexing Pipeline for Logs
bySematext Group, Inc.
 
Fedora Developer's Conference 2014 Talk
byRainer Gerhards
 
Logstash
by琛琳 饶
 
OpenStack Log Mining
byJohn Stanford
 
Message:Passing - lpw 2012
byTomas Doran
 
RSYSLOG v8 improvements and how to write plugins in any language.
byRainer Gerhards
 
Brisbane DevOps Meetup - Logstash
bypczarkowski
 
London devops logging
byTomas Doran
 
Rsyslog log normalization
byRainer Gerhards
 
rsyslog meets docker
byRainer Gerhards
 
Application Logging in the 21st century - 2014.key
byTim Bunce
 
Turbo charge your logs
byJeremy Cook
 
From logs to metrics
byLeonardo Di Donato
 
Syslog.pptx
byShanmugapriyaSenthil3
 
Messaging, interoperability and log aggregation - a new framework
byTomas Doran
 
Finding OOMS in Legacy Systems with the Syslog Telegraf Plugin
byInfluxData
 
OSMC 2025: Easy logging refinement with FlowG by David Delassus.pdf
byNETWAYS
 

Recently uploaded

PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 

rsyslog v8: more than just syslog!

  • 1.
    rsyslog v8:
 more thanjust syslog! Yury Bushmelev Lazada
  • 2.
    what people usuallythink rsyslog is /dev/log udp:514 some magic /var/log/some.log remote udp:514
  • 3.
  • 4.
  • 5.
    rulesets input(...) input(...) if ($syslogtag == "prog1")then { action(...) } else { action(...) } input(... ruleset="rules1") input(... ruleset="rules2") ruleset(name="rules1") { action(...) } ruleset(name="rules2") { action(...) }
  • 6.
    configuration formats • basicAKA sysklogd (*.* /var/log/file.log) – still OK in simple cases • obsolete legacy ($UglyScaryThings everywhere) – Do not use it at all! "It will make your life miserable" © Rainer Gerhards • advanced AKA RainerScript – new (2010) readable configuration language
  • 7.
    queues • most confusingpart of rsyslog configuration
  • 8.
    queues • most confusingpart of rsyslog configuration • 2 places • ruleset queue • action queue
  • 9.
    queues • most confusingpart of rsyslog configuration • 2 places • ruleset queue • action queue • 4 modes • direct (AKA no queue, sync) • in-memory • on-disk • disk-assisted (DA, in-memory + on-disk)
  • 10.
    queues and performance •try to increase ruleset queue workers number first • action queue is mostly about string building • for fast action (omfile) thread syncing overhead may be significant • for single-action ruleset everything is complicated... • read more details in Rainer's blog: http:// blog.gerhards.net/2013/06/rsyslog-performance-main- and-action.html
  • 11.
    – ELK? • readlog messages from file/network • parse • modify • convert to JSON • send to ElasticSearch
  • 12.
    – ERK! • readlog messages from file/network (inputs) • parse (builtin parser/RainerScript/mm* modules) • modify (RainerScript/mm* modules/templates) • convert to JSON (templates) • send to ElasticSearch (omelasticsearch)
  • 13.
    parse (mmnormalize) • "mmnormalize"is unique feature of rsyslog based on liblognorm library which... • ... is amazingly fast • ... because it's using parse tree (not regexp/grok) • ... may try multiple rules for same message (first win) • ... have some documentation:
 http://www.liblognorm.com/files/manual/index.html
  • 14.
    liblognorm rules version=2 rule=v0:MyAuthAPI: Invaliduser %user:word% from %src-ip:ipv4% rule=v1:MyAuthAPI[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4%
  • 15.
    modify/send as JSONv1 template(name="tmpl_to_json_v1" type="string" string="%$!all-json%") template(name="timereported_rfc3339" type="string" string="%timereported:::date-rfc3339%") ruleset(name="test") { action(type="mmjsonparse") set $!_log_time = exec_template("timereported_rfc3339"); set $!_log_tag = $!tag; unset $!tag; ... action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v1" ...) }
  • 16.
    modify/send as JSONv2 template(name="tmpl_to_json_v2" type="list" option.json="on") { constant(value="{") property(outname="_log_time" name="timereported" dateFormat="rfc3339" format="jsonf") constant(value=",") property(outname="_log_tag" name="tag" format="jsonf") constant(value=",") property(outname="message" name="msg" dropLastLF="on" format="jsonf") constant(value="}") } ruleset(name="test") { action(type="omelasticsearch" server="es.example.com" template="tmpl_to_json_v2" ...) }
  • 17.
    reliable delivery • messagewill be lost when using UDP delivery • message may be lost when using TCP delivery
  • 18.
    reliable delivery • messagewill be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well
  • 19.
    reliable delivery • messagewill be lost when using UDP delivery • message may be lost when using TCP delivery • ... so there is RELP (imrelp/omrelp) • ... it may do TLS with compression easy as well • ... but it's single-threaded :(
  • 20.
    metrics (impstats) { "name":"global", "origin": "dynstats", "values": { } } { "name": "imuxsock", "origin": "imuxsock", "submitted": 3612711, "ratelimit.discarded": 0, "ratelimit.numratelimiters": 0 } { "name": "action 0", "origin": "core.action", "processed": 33429, "failed": 0, "suspended": 0, "suspended.duration": 0, "resumed": 0 } { "name": "resource-usage", "origin": "impstats", "utime": 290424444, "stime": 314385112, "maxrss": 3176, "minflt": 509, "majflt": 105, "inblock": 5920, "oublock": 11030360, "nvcsw": 7281385, "nivcsw": 7506 } { "name": "main Q", "origin": "core.queue", "size": 0, "enqueued": 3612765, "full": 0, "discarded.full": 0, "discarded.nf": 0, "maxqsize": 30 } • read more here: https://www.rsyslog.com/doc/v8-stable/configuration/ rsyslog_statistic_counter.html
  • 21.
    metrics (dyn_stats) dyn_stats(name="msg_per_host" resettable="on" maxCardinality="3000"unusedMetricLife="600") set $.inc = dyn_inc("msg_per_host", $hostname); # impstats output # { "name": "msg_per_host", "origin": "dynstats.bucket", "values": { "lab3.sgdc": 1002540, "lab4.sgdc": 1318551, "lab7.sgdc": 1788136} }
  • 22.
    lookup tables { "version": 1, "nomatch" : "unknown", "type" : "string", "table" : [ {"index" : "10.0.1.1", "value" : "A" }, {"index" : "10.0.1.2", "value" : "A" }, {"index" : "10.0.1.3", "value" : "A" }, {"index" : "10.0.2.1", "value" : "B" }, {"index" : "10.0.2.2", "value" : "B" }, {"index" : "10.0.2.3", "value" : "B" }]}
  • 23.
    lookup tables lookup_table(name="host_bu" file="/var/lib/host_billing_unit_mapping.json" reloadOnHUP="on" ) set $.bu= lookup("host_bu", $hostname); if ($.bu != "unknown") then { ... } # Go to "bu_A"/"bu_B"/"bu_unknown" ruleset: # call_indirect "bu_" & $.bu;
  • 24.
    lookup tables if ($.do_reload== "y") then { reload_lookup_table("host_bu", "unknown") }
  • 25.
    runtime control input(type="imuxsock" socket="/run/rsyslog-control.sock" ruleset="control") ruleset(name="control"){ if ($msg == "reload bu") then { reload_lookup_table("host_bu", "unknown") } else if ($msg == "run cmd") then { action(type="omprog" binary="/path/to/script.sh") } else { action(type="omfile" file="/var/log/rsyslog-control.log") } }
  • 26.
    any questions? • YuryBushmelev • https://twitter.com/Jay7t • https://github.com/jay7x