How to use a parser module

A recent occurence initiated this small article. The question was about how to use a specific parser module.

First off, most parser modules, except those that are built-in, are only available in the git repository and the tarball releases. They cannot be used with RPMs and packages.

The specific parser module I want to use now is pmaixforwardedfrom and was contributed by David Lang. The module parses a message from AIX and strips the string “Message forwarded from ” from the message, because else the message cannot be parsed properly. So the original message that looks like this

Jan 25 23:09:48 Message forwarded from hostname: syslog: /usr/sbin/ifconfig -a

looks like this afterwards

Jan 25 23:09:48 hostname syslog: /usr/sbin/ifconfig -a

The problem is, that AIX adds this string by default, but ultimately this corrupts the hostname from the default format. A configuration to tackle the problem will look like this:

module(load=" imuxsock")
$modload pmaixforwardedfrom

$ruleset stripaix
$rulesetcreatemainqueue on
$rulesetparser rsyslog.aixforwardedfrom
$rulesetparser rsyslog.rfc5424
$rulesetparser rsyslog.rfc3164
*.* /var/log/aixlog

$ruleset RSYSLOG_DefaultRuleset


Please note, that we need to mix up config styles in this case. The new RainerScript config style cannot be applied for the entire configuration here.

Basically, we need a ruleset and bind a listener to the ruleset. The listener can be configured with RainerScript. The ruleset needs legacy parameters. In this ruleset, we first configure the additional parser, followed by the default parsers. As a final step, we write everything to a file.

It is strongly suggested to have a specific listener and ruleset for AIX log mesages.

More information about parser modules can be found here:
Doc – Rulesetparser
Doc – Messageparser

Changelog for 4.6.8 (v4-stable)

Version 4.6.8  [v4-stable] (rgerhards), 2011-09-01

  • bugfix/security: off-by-two bug in legacy syslog parser, CVE-2011-3200
  • bugfix: potential misadressing in property replacer
  • bugfix: memcpy overflow can occur in allowed sender checking if a name is resolved to IPv4-mapped-on-IPv6 address
    Found by Ismail Dönmez at suse
  • bugfix: The NUL-Byte for the syslogtag was not copied in MsgDup (msg.c)

Changelog for 6.3.3 (v6-devel)

Version 6.3.3 [DEVEL] (rgerhards), 2011-07-13

  • rsyslog.conf format: now parsed by RainerScript parser
    this provides the necessary base for future enhancements as well as some
    minor immediate ones. For details see:

  • performance of script-based filters notably increased
  • removed compatibility mode as we expect people have adjusted their
    confs by now

  • added support for the “:omfile:” syntax for actions
Scroll to top