Search code examples

Dynamic Rsyslog template

I have an Rsyslog configuration that looks like this:

template(name="extract" type="string" string="%msg:R:/(?:"(level)":")((\\"|


if $InputFileTag == 'esblog' then {
    set $!level = exec_template("extract");
} else {
    set $!level = $syslogseverity-text;

template(name="json_lines" type="list") {
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"json.level\":\"")    property(name="$!level" format="json")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")   property(name="syslogtag" format="json")
      constant(value="\",\"message\":\"")    property(name="msg" format="json")

Basically, if the source tag is esblog, I want to use this regular expression, from "extract" to pull the severity out of the log message. Otherwise I want to use the default severity. Then use that variable inside the json.level label, so that I only need one template on the outgoing message. But no luck getting this to work yet.

Sample message with RegEx:


0341.407068000:main thread    : error: can not find regex end in: '(?:"level":")(\"|[^"]*)"–end%'
0341.407084000:main thread    : PROP_INVALID for name ''
0341.407097000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: invalid property ''
0341.407195000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 32: error processing template object
0341.407350000:main thread    : Called LogMsg, msg: error during parsing file /etc/rsyslog.conf, on or before line 33: exec_template(): template 'extract' 


  • The RegEx just needed changing.

    template(name="extract" type="string" string="%msg:R,ERE,2,DFLT:(\"level\":\")(\\\"|[^\"]*)\"--end%")
    if $programname contains "esb-log" then {
        set $!level = exec_template("extract");
    } else {
        set $!level = $syslogseverity-text;

    Online Rsyslog RegEx tool: