<div dir="ltr">Wow... I figured there was a simple log headers option or something I wasn't finding. <div>I have about 3000 unique hosts so that solution may be a bit more involved for simple filter troubleshooting. </div><div><br></div><div>Thanks for the feedback. I'll give it a try </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 15, 2016 at 10:06 AM, PÁSZTOR György <span dir="ltr"><<a href="mailto:pasztor@linux.gyakg.u-szeged.hu" target="_blank">pasztor@linux.gyakg.u-szeged.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<div><div class="h5"><br>
"Scot" <<a href="mailto:scotrn@gmail.com">scotrn@gmail.com</a>> írta 2016-02-15 09:58-kor:<br>
> Searched for 2 hours this morning and could not find the answer.<br>
><br>
> Testing message filters and I'd like to be able to log all the meta data<br>
> value pairs to a fifo to make troubleshooting easier.<br>
><br>
> Like RSYSLOG_DebugFormat<br>
<br>
</div></div>I typically use this:<br>
destination d_net_flat { file("/var/log/net/$HOST"<br>
template("$ISODATE $(format_json --scope nv_pairs,all_macros,core,selected_macros,everything,core<br>
--exclude R_* --exclude S_* )\n")); };<br>
<br>
Later in /var/log/net I watch the interesting file with this:<br>
<br>
tail -f 10.21.255.141 | perl -MJSON -MData::Dumper -ne 's/.*?\{/{/ ; my<br>
$j=JSON::decode_json $_; print Data::Dumper::Dumper($j) if 1 ; print<br>
"$j->{FULLDATE};$j->{HOST};$j->{MSGHDR}$j->{MSG}\n"; '<br>
<br>
The filename in the tail -f can be any hosts's file.<br>
The other part: If I do not use the "$ISODATE " prefix in the template,<br>
then even this perl one-liner is not neccessary. You can use json_pp as a<br>
filter after tail too.<br>
The advantage of this perl "oneliner" is, that I can modify the always true<br>
1 expression as the print's conditional, so I have a better chance to<br>
filter out lines, which interests me.<br>
<br>
I hope, this is kind of a solution, which may help you.<br>
<br>
Cheers,<br>
Gyu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>