Skip to content
Snippets Groups Projects
Commit a8daf71a authored by Thomas Bellman's avatar Thomas Bellman
Browse files

Use RainerScript for formatting log messages.

Switching to template(type="list") declarations for the message format
templates makes them significantly easier to read and maintain, but
the did become *much* more verbose.  Still a win.

At the same time, we remove one unused template (LogFmtIsoTime) and
rename the two remaining (LogFmtSpaceTime to NSCLogFormat, and
LogFmtJoinedLog to NSCLogFormatSourcePri).
parent be988b1e
No related branches found
No related tags found
No related merge requests found
...@@ -73,37 +73,108 @@ template(name="AuditLogfile" type="list") { ...@@ -73,37 +73,108 @@ template(name="AuditLogfile" type="list") {
######################################################################## ########################################################################
# Templates for message formats # Templates for message formats
#-----------------------------------------------------------------------
# The LogFmtIsoTime template formats logs with ISO timestamps with a # The NSCLogFormat template formats logs with ISO timestamps with a
# "T" between the date and time, and always with a microsecond field. # space between the date and time, and between the time and timezone.
# If the logging host does not provide subsecond resolution, that will # There will always be a microsecond field.
# be "0", not "000000" though.
# Example timestamp: "2010-05-21T12:57:20.0+02:00".
#
# This is almost the default local log format in rsyslog. The difference
# is we always add the subsecond field in the timestamp, and we add a
# couple of spaces around the host name.
$template LogFmtIsoTime,"%timereported:1:19:date-rfc3339%.%timereported:::date-subseconds%%timereported:R,ERE,1,BLANK,0:.*T.*([-+]..:..)--end:date-rfc3339% %HOSTNAME:R,ERE,0,ZERO,0:..*--end:secpath-replace% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
# The LogFmtSpaceTime template formats is very similar to LogFmtIsoTime,
# only with spaces between the date, time and timezone for increased
# readability. This also gives the same number of fields for the
# timestamp as the traditional syslog format.
# Example timestamp: "2010-05-21 12:57:20.001795 +02:00" # Example timestamp: "2010-05-21 12:57:20.001795 +02:00"
#
# This makes timestamps much more readable than the "traditional" ISO
# timestamps with a "T" between date and time, and it also gives the
# same number of fields for the timestamps as the traditional syslog
# format, making it easier for tools to be reused.
#
# In comparison with the normal syslog formats, we also put double
# spaces around the hostname, also for extra readability.
template(name="NSCLogFormat" type="list") {
# Date (YYYY-mm-dd)
property(name="timereported" dateformat="rfc3339"
position.from="1" position.to="10")
constant(value=" ")
# Time (HH:MM:DD)
property(name="timereported" dateformat="rfc3339"
position.from="12" position.to="19")
constant(value=".")
property(name="timereported" dateformat="subseconds")
constant(value=" ")
# Timezone offset ((+|-)HH:MM)
property(name="timereported" dateformat="tzoffsdirection")
property(name="timereported" dateformat="tzoffshour")
constant(value=":")
property(name="timereported" dateformat="tzoffsmin")
constant(value=" ")
# If hostname in message is empty, replace it with a zero ("0")
property(name="hostname"
regex.expression="..*" # Match non-empty field
regex.submatch="0" # Replace with entire match
regex.nomatchmode="ZERO" # ... or with "0" if no match
)
$template LogFmtSpaceTime,"%timereported:1:10:date-rfc3339% %timereported:12:19:date-rfc3339%.%timereported:::date-subseconds% %timereported:R,ERE,1,ZERO,0:.*T.*([-+]..:..)--end:date-rfc3339% %HOSTNAME:R,ERE,0,ZERO,0:..*--end:secpath-replace% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}
# This format is identical to LogFmtSpaceTime, except that the hostname #-----------------------------------------------------------------------
# This format is identical to NSCLogFormat, except that the hostname
# field contains both the host that sent the package to us and the # field contains both the host that sent the package to us and the
# originating host, separated by a slash. We do this since the name # originating host, separated by a slash. We do this since the name
# in the message is usually the short hostname, and that might not be # in the message is usually the short hostname, and that might not be
# unique. # unique.
# We also add the syslog facility and severity within "<" and ">"
$template LogFmtJoinedLog,"%timereported:1:10:date-rfc3339% %timereported:12:19:date-rfc3339%.%timereported:::date-subseconds% %timereported:R,ERE,1,ZERO,0:.*T.*([-+]..:..)--end:date-rfc3339% %FROMHOST:R,ERE,1,FIELD,0:(.*)\.nsc\.liu\.se$--end:secpath-replace%/%HOSTNAME:R,ERE,0,ZERO,0:..*--end:secpath-replace%<%%syslogfacility-text%.%syslogseverity-text%> %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # brackets attached to the hostname. This seems to be the least
#
# This format is used in the audit logs and the logstream, where
# messages from many hosts are intermingled.
template(name="NSCLogFormatSourcePri" type="list") {
# Date (YYYY-mm-dd)
property(name="timereported" dateformat="rfc3339"
position.from="1" position.to="10")
constant(value=" ")
# Time (HH:MM:DD)
property(name="timereported" dateformat="rfc3339"
position.from="12" position.to="19")
constant(value=".")
property(name="timereported" dateformat="subseconds")
constant(value=" ")
# Timezone offset ((+|-)HH:MM)
property(name="timereported" dateformat="tzoffsdirection")
property(name="timereported" dateformat="tzoffshour")
constant(value=":")
property(name="timereported" dateformat="tzoffsmin")
constant(value=" ")
property(name="fromhost"
regex.type="ERE"
regex.expression="(.*)\\.nsc\\.liu\\.se"
regex.submatch="1"
regex.nomatchmode="FIELD"
)
constant(value="/")
# If hostname in message is empty, replace it with a zero ("0")
property(name="hostname"
regex.expression="..*" # Match non-empty field
regex.submatch="0" # Replace with entire match
regex.nomatchmode="ZERO" # ... or with "0" if no match
)
constant(value="<")
property(name="syslogfacility-text")
constant(value=".")
property(name="syslogseverity-text")
constant(value=">")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}
...@@ -127,7 +198,7 @@ module(load="builtin:omfile" ...@@ -127,7 +198,7 @@ module(load="builtin:omfile"
DirCreateMode="0755" DirCreateMode="0755"
FileCreateMode="0644" FileCreateMode="0644"
# And use our formatting of log files # And use our formatting of log files
Template="LogFmtSpaceTime") Template="NSCLogFormat")
...@@ -136,15 +207,15 @@ module(load="builtin:omfile" ...@@ -136,15 +207,15 @@ module(load="builtin:omfile"
# auditing of login nodes # auditing of login nodes
local6.* -?AuditLogfile;LogFmtJoinedLog local6.* -?AuditLogfile;NSCLogFormatSourcePri
local6.* ~ local6.* ~
*.* ?LogFile;LogFmtSpaceTime *.* ?LogFile;NSCLogFormat
# We log everything to one file as well, for easy 'tail -f':ing # We log everything to one file as well, for easy 'tail -f':ing
# This file is logrotated every day, with only one generation # This file is logrotated every day, with only one generation
# saved. # saved.
authpriv.* -/syslogs/logstream;LogFmtJoinedLog authpriv.* -/syslogs/logstream;NSCLogFormatSourcePri
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment