diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/impstats.html | 7 | ||||
| -rw-r--r-- | doc/mmpstrucdata.html | 23 |
2 files changed, 30 insertions, 0 deletions
diff --git a/doc/impstats.html b/doc/impstats.html index 3b206941..c768dbf4 100644 --- a/doc/impstats.html +++ b/doc/impstats.html @@ -24,6 +24,13 @@ settings, this impact may be noticeable (for high-load environments). <p>The rsyslog website has an updated overview of available <a href="http://rsyslog.com/rsyslog-statistic-counter/">rsyslog statistic counters</a>. </p> +<p><b>Note that there is a +<a href="http://www.rsyslog.com/impstats-analyzer/">rsyslog statistics +online analyzer</a> available.</b> It can be given a impstats-generated file and +will return problems it detects. Note that the analyzer cannot replace a +human in getting things right, but it is expected to be a good aid in starting +to understand and gain information from the pstats logs. +<7p> <p><b>Module Confguration Parameters</b>:</p> <p>This module supports module parameters, only. <ul> diff --git a/doc/mmpstrucdata.html b/doc/mmpstrucdata.html index b4003062..8197d94a 100644 --- a/doc/mmpstrucdata.html +++ b/doc/mmpstrucdata.html @@ -13,6 +13,7 @@ <p><b>Description</b>:</p> <p>The mmpstrucdata parses RFC5424 structured data into the message json variable tree. +The data parsed, if available, is stored under "jsonRoot!rfc5424-sd!...". <p> </p> <p><b>Module Configuration Parameters</b>:</p> @@ -33,6 +34,10 @@ Specifies into which json container the data shall be parsed to. <p><b>Caveats/Known Bugs:</b> <ul> <li>this module is currently experimental; feedback is appreciated +<li>property names are treated case-insensitive in rsyslog. As such, +RFC5424 names are treated case-insensitive as well. If such names +only differ in case (what is not recommended anyways), problems will +occur. <li>structured data with duplicate SD-IDs and SD-PARAMS is not properly processed </ul> @@ -48,6 +53,24 @@ template(name="jsondump" type="string" string="%msg%: %$!%\n") action(type="omfile" file="/path/to/log" template="jsondump") </textarea> +<p><b>A more practical one:</b> +<p>Take this example message (inspired by RFC5424 sample;)): +<p><code><34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code> +<p>We apply this configuration: +<p><textarea rows="6" cols="120">module(load="mmpstrucdata") +action(type="mmpstrucdata") +template(name="sample2" type="string" + string="ALL: %$!%\nSD: %$!RFC5424-SD%\nIUT:%$!rfc5424-sd!exampleSDID@32473!iut%\nRAWMSG: %rawmsg%\n\n") +action(type="omfile" file="/path/to/log" template="sample2") +</textarea> +<p>This will output: +<p><code>ALL: { "rfc5424-sd": { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } } }</br> +SD: { "examplesdid@32473": { "iut": "3", "eventsource": "Application", "eventid": "1011" }, "id@2": { "test": "tast" } }</br> +IUT:3</br> +RAWMSG: <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on /dev/pts/8</code> +<p>As you can seem, you can address each of the individual items. Note that the +case of the RFC5424 parameter names has been converted to lower case. + <p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] [<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> <p><font size="2">This documentation is part of the |