Search code examples
rsyslog

How to write DRY rsyslog rules?


Using rsyslog and specifically liblognorm is it possible to have DRY rules by referencing other rules?


Example: having the following 2 rules which are exactly matching except for the first 3 fields

rule=innerQuery:%timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%

rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%

Is it possible to have the wrapperQuery defined by referencing the innerQuery rule

rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %core:REFERENCE_innerQuery%

Solution

  • I was able to handle that by:

    1. Defining the common pattern in a custom type
    2. Utilizing the custom type in the inner and outer rule

    which implies that the variable access would be nested too.

    Following is how that could be achieved

    type=@coreQ:%timestamp:date-rfc5424% %queryid:number% %client:ipv4%/%clientport:number% %querytype:word% %domain:word% %additionalinfo:rest%
    
    rule=innerQuery:%core:@coreQ:%
    
    rule=wrapperQuery:%mts:date-rfc5424% %mh:char-to: % [%mt:char-to:]%] %core:@coreQ%
    

    And that's how the variable could be accessed

    template(name="myLogFormat" type="string" string="Full structure displayed as json is %$!core%, single element is %$!core!domain%\n")
    

    Note: the syntax is %$!core!domain% and not %$!core.domain%