英文:
Rsyslog convert msg timestamp to rfc3339 format
问题
我有以下的rsyslog配置以及下面的日志消息。我正在使用正则表达式从日志消息中提取时间戳,但由于格式不太友好,我想将时间戳转换为rfc3339格式。
我发现rsyslog的文档对于刚刚开始的人来说缺少很多内容。这是否可以在模板内完成?我感激任何关于如何实现这一目标的提示/线索。
/path/to/log/file.log
11955 - [Mon Apr 6 20:40:03 2023] [Info ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]
/etc/rsyslog.d/mylog.conf
module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/*/file.log")
template(name="jsonFormat" type="list") {
property(outname="timestamp" name="msg" regex.expression="^[^[]*\[([^]]*)\]" regex.type="ERE" regex.submatch="1" format="jsonf")
}
if ($syslogtag == "mylog") then {
action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}
英文:
I've got the following rsyslog conf and the below log message I'm receiving. I'm extracting the timestamp from the log message using regex but since it's a not so nice format, I want to convert the timestamp to rfc3339.
I find rsyslog's documentation is missing a lot of things for someone starting fresh. Is this something which can be done within the template? I appreciate any hints/clues how to achieve this.
/path/to/log/file.log
11955 - [Mon Apr 6 20:40:03 2023] [Info ] This message can contain anything [d54d13fa-4657-4891-f99d08674ee]
/etc/rsyslog.d/mylog.conf
module(load="imfile")
input(type="imfile" tag="mylog" file="/path/to/*/file.log")
template(name="jsonFormat" type="list") {
property(outname="timestamp" name="msg" regex.expression="^[^[]*\\[([^]]*)\\]" regex.type="ERE" regex.submatch="1" format="jsonf")
}
if ($syslogtag == "mylog") then {
action(type="omfile" file="/path/to/output/file.log" template="jsonFormat")
}
答案1
得分: 1
RainerScript 提供了一些函数,您可以使用这些函数来操作输入行。例如,
template(name="myformat" type="string" string="%$.date% %msg%\n")
set $.date = re_extract($rawmsg, "\\[... (.{15})", 0, 1, "");
if ($.date != "") then {
set $.unixtime = parse_time($.date);
if($.unixtime != 0) then {
set $.date = format_time($.unixtime, "date-rfc3339");
action(type="omfile" file="output" template="myformat")
}
}
re_extract() 函数的工作方式类似于您的模板属性中的 regex.expression。它在这里查找 [,跳过了3个字符的工作日,并捕获接下来的15个字符,省略了年份,因为年份不属于 RFC3164 的一部分。年份被假定为大致为“今年”。
返回的值保存在您选择的本地变量中,$.date。请注意在以 set 开头的行末尾的分号 ;。
如果匹配成功,parse_time() 用于将其从 RFC3164 转换为Unix时(自纪元以来的秒数)。如果成功,format_time() 将其转换为RFC3339字符串。该变量可以像任何属性一样在模板中使用,字符串中使用 %$.date% 或 property(name="$.date" ...)。
英文:
RainerScript has some functions you can use to manipulate the input line with. For example,
template(name="myformat" type="string" string="%$.date% %msg%\n")
set $.date = re_extract($rawmsg, "\\[... (.{15})", 0, 1, "");
if ($.date != "") then {
set $.unixtime = parse_time($.date);
if($.unixtime != 0) then {
set $.date = format_time($.unixtime, "date-rfc3339");
action(type="omfile" file="output" template="myformat")
}
}
The re_extract() function works like the regex.expression in your
template property. Here it finds the [, skips the 3 character weekday,
and captures the next 15 characters, omitting the year as that is not part
of RFC3164. The year is assumed to be approximately "this year".
The returned value is saved in a local variable of your choice, $.date. Note the obligatory ; at the end of lines beginning set.
If
the match worked, parse_time() is used to convert it from RFC3164 to Unix
seconds-from-the-epoch. If this worked, format_time() converts it to an
RFC3339 string. The variable is used in a template just like any property with
%$.date% in a string or property(name="$.date" ...).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论