Mailing List Archive

local variables not printed in debug format
Running rsyslog 8.1901 on fresh Debian10 the $.localvars are not printed in
debug format.
Starting rsyslog by
/usr/sbin/rsyslogd -d -n -f /etc/rsyslog-2/rsyslog-lin.conf
Config files are processed without any error.
The message looks like this:
Debug line with all properties:
FROMHOST: 'hostname.domain', fromhost-ip: '10.1.1.3', HOSTNAME:
'server-10.1.1.4', PRI: 86,
syslogtag 'sudo', programname: 'sudo', APP-NAME: 'sudo', PROCID: '-',
MSGID: '-',
TIMESTAMP: 'Aug 9 14:07:50', STRUCTURED-DATA: '[syslogTimes@29171
10.1.1.1="2019-08-09T14:07:50.497819+02:00"]',
msg: 'pam_unix(sudo:session): session closed for user root'
escaped msg: 'pam_unix(sudo:session): session closed for user root'
inputname: imtcp rawmsg: '<86>1 2019-08-09T14:07:50.497129+02:00
server-10.1.1.4 sudo - - [syslogTimes@29171
10.1.1.3="2019-08-09T14:07:50.497819+02:00"] pam_unix(sudo:session):
session closed for user root'
$!:
$.:
$/:

No local variables listed. Also all the variables used in templates are
empty.
Is there any known bug which might be related? What to check? Option
abortonuncleanconfig is enabled.

Config snippets:

/etc/rsyslog-2# cat rsyslog-lin.conf
# Include global configuration
$IncludeConfig /etc/rsyslog-2/global/*.conf

# Include instance configuration
$IncludeConfig /etc/rsyslog-2/lin/*.conf
/etc/rsyslog-2# ls -la /etc/rsyslog-2/global/*.conf
-rw-r--r-- 1 root root 151 May 30 13:38 /etc/rsyslog-2/global/00-stats.conf
-rw-r--r-- 1 root root 164 Jun 12 12:26
/etc/rsyslog-2/global/01-global.conf
-rw-r--r-- 1 root root 69 May 30 13:46
/etc/rsyslog-2/global/02-permissions.conf
-rw-r--r-- 1 root root 42 May 31 11:51
/etc/rsyslog-2/global/03-modules.conf
-rw-r--r-- 1 root root 1026 Aug 9 10:22
/etc/rsyslog-2/global/09-variables.conf
-rw-r--r-- 1 root root 3237 Aug 5 08:41
/etc/rsyslog-2/global/10-templates.conf
/etc/rsyslog-2# cat /etc/rsyslog-2/global/09-variables.conf
# set local variables
set $.localip="1.1.1.3";
set $.host=$$myhostname;

$template
getOrigip,"%hostname:R,ERE,1,ZERO:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})--end%"
set $.origip=exec_template("getOrigip");
if ( $.origip == "0" ) then {
if ( $fromhost-ip == "127.0.0.1" ) then {
set $.origip=$.localip;
}
else {
set $.origip=$fromhost-ip;
}
}
....

--
Peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: local variables not printed in debug format [ In reply to ]
FYI

Found the problem.
The listener used local ruleset, while the variables resided in
RSYSLOG_DefaultRuleset. Moving the omfile action out of ruleset definition
resolved the issue.

Reading sentence
"As such, any modifications made to the message object (e.g. message or
local variables that are set) or discarding of the message object have no
effect outside that ruleset."
on https://www.rsyslog.com/doc/v8-stable/concepts/multi_ruleset.html make
it more clear.

--
Peter

On Fri, Aug 9, 2019 at 2:51 PM Peter Viskup <skupko.sk@gmail.com> wrote:

> Running rsyslog 8.1901 on fresh Debian10 the $.localvars are not printed
> in debug format.
> Starting rsyslog by
> /usr/sbin/rsyslogd -d -n -f /etc/rsyslog-2/rsyslog-lin.conf
> Config files are processed without any error.
> The message looks like this:
> Debug line with all properties:
> FROMHOST: 'hostname.domain', fromhost-ip: '10.1.1.3', HOSTNAME:
> 'server-10.1.1.4', PRI: 86,
> syslogtag 'sudo', programname: 'sudo', APP-NAME: 'sudo', PROCID: '-',
> MSGID: '-',
> TIMESTAMP: 'Aug 9 14:07:50', STRUCTURED-DATA: '[syslogTimes@29171
> 10.1.1.1="2019-08-09T14:07:50.497819+02:00"]',
> msg: 'pam_unix(sudo:session): session closed for user root'
> escaped msg: 'pam_unix(sudo:session): session closed for user root'
> inputname: imtcp rawmsg: '<86>1 2019-08-09T14:07:50.497129+02:00
> server-10.1.1.4 sudo - - [syslogTimes@29171
> 10.1.1.3="2019-08-09T14:07:50.497819+02:00"] pam_unix(sudo:session):
> session closed for user root'
> $!:
> $.:
> $/:
>
> No local variables listed. Also all the variables used in templates are
> empty.
> Is there any known bug which might be related? What to check? Option
> abortonuncleanconfig is enabled.
>
> Config snippets:
>
> /etc/rsyslog-2# cat rsyslog-lin.conf
> # Include global configuration
> $IncludeConfig /etc/rsyslog-2/global/*.conf
>
> # Include instance configuration
> $IncludeConfig /etc/rsyslog-2/lin/*.conf
> /etc/rsyslog-2# ls -la /etc/rsyslog-2/global/*.conf
> -rw-r--r-- 1 root root 151 May 30 13:38
> /etc/rsyslog-2/global/00-stats.conf
> -rw-r--r-- 1 root root 164 Jun 12 12:26
> /etc/rsyslog-2/global/01-global.conf
> -rw-r--r-- 1 root root 69 May 30 13:46
> /etc/rsyslog-2/global/02-permissions.conf
> -rw-r--r-- 1 root root 42 May 31 11:51
> /etc/rsyslog-2/global/03-modules.conf
> -rw-r--r-- 1 root root 1026 Aug 9 10:22
> /etc/rsyslog-2/global/09-variables.conf
> -rw-r--r-- 1 root root 3237 Aug 5 08:41
> /etc/rsyslog-2/global/10-templates.conf
> /etc/rsyslog-2# cat /etc/rsyslog-2/global/09-variables.conf
> # set local variables
> set $.localip="1.1.1.3";
> set $.host=$$myhostname;
>
> $template
> getOrigip,"%hostname:R,ERE,1,ZERO:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})--end%"
> set $.origip=exec_template("getOrigip");
> if ( $.origip == "0" ) then {
> if ( $fromhost-ip == "127.0.0.1" ) then {
> set $.origip=$.localip;
> }
> else {
> set $.origip=$fromhost-ip;
> }
> }
> ....
>
> --
> Peter
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: local variables not printed in debug format [ In reply to ]
more to the point, the debug output shows you what the variables are at that
point in the processing. If you have not populated them in the config statements
for this message, they won't be populated

if you change them in statements after you log, you won't see those changes

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.