rsyslog

The rocket-fast system for log processing

How to use a parser module

A recent occurence initiated this small article. The question was about how to use a specific parser module.

First off, most parser modules, except those that are built-in, are only available in the git repository and the tarball releases. They cannot be used with RPMs and packages.

The specific parser module I want to use now is pmaixforwardedfrom and was contributed by David Lang. The module parses a message from AIX and strips the string "Message forwarded from " from the message, because else the message cannot be parsed properly. So the original message that looks like this

Jan 25 23:09:48 Message forwarded from hostname: syslog: /usr/sbin/ifconfig -a

looks like this afterwards

Jan 25 23:09:48 hostname syslog: /usr/sbin/ifconfig -a

The problem is, that AIX adds this string by default, but ultimately this corrupts the hostname from the default format. A configuration to tackle the problem will look like this:

module(load=" imuxsock")
module(load="imtcp")
$modload pmaixforwardedfrom

$ruleset stripaix
$rulesetcreatemainqueue on
$rulesetparser rsyslog.aixforwardedfrom
$rulesetparser rsyslog.rfc5424
$rulesetparser rsyslog.rfc3164
*.* /var/log/aixlog

$ruleset RSYSLOG_DefaultRuleset

input(type="imtcp"
        port="514"
        ruleset="stripaix"
)

Please note, that we need to mix up config styles in this case. The new RainerScript config style cannot be applied for the entire configuration here.

Basically, we need a ruleset and bind a listener to the ruleset. The listener can be configured with RainerScript. The ruleset needs legacy parameters. In this ruleset, we first configure the additional parser, followed by the default parsers. As a final step, we write everything to a file.

It is strongly suggested to have a specific listener and ruleset for AIX log mesages.

More information about parser modules can be found here:
Doc – Rulesetparser
Doc – Messageparser