The rocket-fast system for log processing

How to set variables in rsyslog v7

With rsyslog 7.1.3 we introduced the opportunity to set variables inside the rsyslog.conf. Though, this does not work with standard properties, this can be done with CEE/lumberjack-type properties. Variable customization should be considered an aid for template generation and modification.

Note that CEE/lumberjack properties, as implemented in rsyslog,  can be hierarchical and levels are delimited by the bang sign (based on lumberjack recommendations). So "!uid" is the uid field in the CEE root, whereas "!usr!uid" is the uid field inside the usr container. Nesting can be as deep as desired. Currently, all parts of the CEE tree can be accessed. In later versions, this may require the setting of a global option.

A variable can be set by using the following:

set varname = expression;

Please note the semicolon at the end. This is needed to separate from other config lines as well as to keep compatibility with older versions. The expression can be an arbitrary complex expression, just like in an "if" statement.

Concrete examples:

set $!usr!level2!var1 = "test";  
set $!usr!level2!var1 = $msg; # update variable with native MSG field
set $!usr!level2!var2 = 1+1; # set !usr!level2!var2 = 2
set $!usr!level2 = $fromhost; # invalid

The last example is invalid because it tries to replace a complete container with the content of a single regular property.

There is also an accompanying "unset" statement to remove a variable that is no longer needed. This is primarily meant to restructure a CEE container. It’s syntax simply is:

unset varname;

Again, note the semicolon at the end. A concrete example is

unset !usr!level2!var1;

which removes a single element. But full containers can also be removed:

unset !usr!level2

Note that all variables are assigned to the message currently being processed. There currently is no way to set global variables.