Rsyslog: Can't use $msgid to filter rsyslog message

Created on 5 Apr 2019  路  4Comments  路  Source: rsyslog/rsyslog

Hi All,

I'm using rsyslog 8.4.0 and try to log a msg with RFC5424 with msgid.
For example:
logger "Testing testing" --msgid "testmsgid" --rfc5424

But when I configure the rsyslog.conf to filter the msg base on msgid, I can't see that log msg.
Here is my rsyslog.conf
if $msgid contains "testmsgid" then {
. /var/log/test.log
}

I still can see "testmsgid" in the rawmsg, but I can fetch it via variable $msgid.

Does anyone has any idea how to fetch msgid field? Or is this a known problem in rsyslog?

Thanks a lot for your support,
Tom

question
Source
picture minhtuanmt1

Most helpful comment

answer in https://github.com/rsyslog/rsyslog/issues/3592#issuecomment-480186237

picture rgerhards on 14 May 2019
👍2

All 4 comments

Not sure if the old version supports that, but in current rsyslog you can disable the special parser:

module(load="imuxsock" SysSock.UseSpecialParser="off")

more info: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imuxsock.html

rgerhards picture rgerhards on 5 Apr 2019

Please write a test log using the template RSYSLOG_DebugFormat, that will show
us exactly what you are receiving and then we can figure out what's happening.

David Lang

davidelang picture davidelang on 5 Apr 2019

Hi Rainer Gerhards and David Lang,

module(load="imuxsock" SysSock.UseSpecialParser="off")
I tried but it doesn't work. I still can't fetch value for msgid attribute.

I tried to use RSYSLOG_DebugFormat and log a test message and it seems there is no msgid field at all. Please see log example below:

logger "Testing testing" --msgid "testmsgid" --rfc5424

Debug line with all properties:
FROMHOST: 'node1', fromhost-ip: '127.0.0.1', HOSTNAME: 'node1', PRI: 13,
syslogtag '1', programname: '1', APP-NAME: '1', PROCID: '-', MSGID: '-',
TIMESTAMP: 'May 14 04:29:21', STRUCTURED-DATA: '-',
msg: ' 2019-05-14T04:29:21.355498+02:00 node1 root - testmsgid [timeQuality tzKnown="1" isSynced="1" syncAccuracy="538958"] Testing testing'
escaped msg: ' 2019-05-14T04:29:21.355498+02:00 node1 root - testmsgid [timeQuality tzKnown="1" isSynced="1" syncAccuracy="538958"] Testing testing'
inputname: imuxsock rawmsg: '<13>1 2019-05-14T04:29:21.355498+02:00 node1 root - testmsgid [timeQuality tzKnown="1" isSynced="1" syncAccuracy="538958"] Testing testing'
$!:
$.:
$/:

Do you know why MSGID: '-'? It supposed to be "testmsgid" in this example.

Thanks and regards,
Tuan

minhtuanmt1 picture minhtuanmt1 on 14 May 2019

answer in https://github.com/rsyslog/rsyslog/issues/3592#issuecomment-480186237

rgerhards picture rgerhards on 14 May 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shannider picture shannider  路  4Comments
rgerhards picture rgerhards  路  10Comments
bbailey1024 picture bbailey1024  路  3Comments
mashayev picture mashayev  路  9Comments
ITWOI picture ITWOI  路  3Comments