x
/
browbeat
Code Issues Proposed changes
browbeat/ansible/install/roles/rsyslog-templates/templates/03-rules.conf.j2

315 lines
10 KiB
Django/Jinja
Raw Blame History

#### RULES ####
# Ensure message is a properly formatted UTF-8 sequence
action(type="mmutf8fix" mode="utf-8")
# Parse any CEE JSON messages
action(type="mmjsonparse")
{% if not rsyslog_forwarding or rsyslog_aggregator %}
# Now that we have parsed out any CEE JSON data in log messages, we have a CEE
# JSON tree with at least a "msg" field. We proceed with normalizing the data
# to remove redundant pieces of information, and cleanup known bad data.
# The mmjsonparse action above has made sure the $!msg is always populated
# with $msg if initially unpopulated.
if (strlen($!msg) > 0) then {
set $.msg = $!msg;
} else {
if ($inputname == "impstats") then {
set $.msg = "pstats";
} else {
set $.msg = $msg;
}
}
if (strlen($!MESSAGE) > 0) and ($!MESSAGE != $.msg) then {
# Use the systemd message value when present.
set $.msg = $!MESSAGE;
}
# Always pull msg out of the message properties so that it does not show up
# again under the CEE property in ElasticSearch.
unset $!msg;
unset $!MESSAGE;
if ($!_HOSTNAME == $hostname) then {
unset $!_HOSTNAME;
}
if (strlen($!tags) > 0) then {
set $.tags = $!tags;
}
# Always pull tags out of the message properties so that it does not show up
# again under the CEE property in ElasticSearch.
unset $!tags;
# We'll attempt to normalize the PID value we have from the default rsyslog
# properties with collected systemd properties below.
set $.pid = $procid;
set $.hostname = $hostname;
set $.level = $syslogseverity-text;
set $.rsyslog!appname = $app-name;
set $.rsyslog!programname = $programname;
# Copy browbeat json over then delete it from the json namespace
if (strlen($!browbeat_json) > 0) then {
set $.browbeat_json = $!browbeat_json;
unset $!browbeat_json;
}
# Logs are fed into imfile as pure text strings with no level info
# other than the default for that filestream, this parses the messages
# to look for log level info that it can apply
if ($.msg contains 'error') then {
set $.level = 'error';
}
if ($.msg contains 'ERROR') then {
set $.level = 'error';
}
if ($.msg contains 'warn') then {
set $.level = 'notice';
}
if ($.msg contains 'WARN') then {
set $.level = 'notice';
}
if ($.msg contains 'debug') then {
set $.level = 'debug';
}
if ($.msg contains 'DEBUG') then {
set $.level = 'debug';
}
# Now drop app-name if it is the same as programname, don't need to index
# both, and if either or both are still blank, just drop them entirely.
if ($app-name == $programname) then {
unset $.rsyslog!appname;
}
if (strlen($.rsyslog!appname) == 0) then {
unset $.rsyslog!appname;
}
if (strlen($.rsyslog!programname) == 0) then {
unset $.rsyslog!programname;
}
# The facility is an rsyslog specific property defined to have a fixed set of
# values.
set $.rsyslog!facility = $syslogfacility-text;
# The following four properties are pulled from the RFC 5424 message, when
# available. If we don't have those kinds of messages, then the values are
# "-", and in the case of app-name, it will have the same value as
# programname.
set $.rsyslog!protocol-version = $protocol-version;
if (strlen($structured-data) > 0) and ($structured-data != "-") then {
set $.rsyslog!structured-data = $structured-data;
}
if (strlen($msgid) > 0) and ($msgid != "-") then {
set $.rsyslog!msgid = $msgid;
}
# The following four properities are derived by this instance of rsyslog (the
# last instance to touch the message before being indexed into ElasticSearch),
# and not sent across the wire.
set $.rsyslog!fromhost-ip = $fromhost-ip;
if ($fromhost != $hostname) and ($fromhost != $fromhost-ip) then {
# We only report fromhost if it is different from hostname, and only if it
# tells us something more that fromhost-ip.
set $.rsyslog!fromhost = $fromhost;
}
template(name="timegeneratedrfc3339" type="string" string="%timegenerated:::date-rfc3339%")
set $.rsyslog!timegenerated = exec_template("timegeneratedrfc3339");
set $.rsyslog!inputname = $inputname;
if strlen($!_MACHINE_ID) > 0 then {
# Pull out the systemd "user" and "trusted" journal fields.
# See http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
# Pull out the systemd "user" journal fields...
set $.systemd!t!MACHINE_ID = $!_MACHINE_ID;
unset $!_MACHINE_ID;
if strlen($!CODE_FILE) > 0 then {
set $.systemd!u!CODE_FILE = $!CODE_FILE;
}
unset $!CODE_FILE;
if strlen($!CODE_FUNCTION) > 0 then {
set $.systemd!u!CODE_FUNCTION = $!CODE_FUNCTION;
}
unset $!CODE_FUNCTION;
if strlen($!CODE_LINE) > 0 then {
set $.systemd!u!CODE_LINE = $!CODE_LINE;
}
unset $!CODE_LINE;
if strlen($!ERRNO) > 0 then {
set $.systemd!u!ERRNO = $!ERRNO;
}
unset $!ERRNO;
if strlen($!MESSAGE_ID) > 0 then {
set $.systemd!u!MESSAGE_ID = $!MESSAGE_ID;
}
unset $!MESSAGE_ID;
if strlen($!RESULT) > 0 then {
set $.systemd!u!RESULT = $!RESULT;
}
unset $!RESULT;
if strlen($!UNIT) > 0 then {
set $.systemd!u!UNIT = $!UNIT;
}
unset $!UNIT;
# NOTE We deal with $!MESSAGE separately above
#set $.systemd!u!MESSAGE = $!MESSAGE;
# NOTE WELL: we do not pull out MESSAGE, PRIORITY, SYSLOG_FACILITY,
# SYSLOG_IDENTIFIER, or SYSLOG_PID, as imjournal either on the remote host
# or on our local host has already done that for us using the values
# appropriately for traditional rsyslog message properties.
#unset $!MESSAGE;
#set $.systemd!u!PRIORITY = $!PRIORITY;
unset $!PRIORITY;
#set $.systemd!u!SYSLOG_FACILITY = $!SYSLOG_FACILITY;
unset $!SYSLOG_FACILITY;
#set $.systemd!u!SYSLOG_IDENTIFIER = $!SYSLOG_IDENTIFIER;
unset $!SYSLOG_IDENTIFIER;
#set $.systemd!u!SYSLOG_PID = $!SYSLOG_PID;
unset $!SYSLOG_PID;
# Pull out the systemd "trusted" journal fields...
if strlen($!_AUDIT_LOGINUID) > 0 then {
set $.systemd!t!AUDIT_LOGINUID = $!_AUDIT_LOGINUID;
}
unset $!_AUDIT_LOGINUID;
if strlen($!_AUDIT_SESSION) > 0 then {
set $.systemd!t!AUDIT_SESSION = $!_AUDIT_SESSION;
}
unset $!_AUDIT_SESSION;
if strlen($!_BOOT_ID) > 0 then {
set $.systemd!t!BOOT_ID = $!_BOOT_ID;
}
unset $!_BOOT_ID;
if strlen($!_CAP_EFFECTIVE) > 0 then {
set $.systemd!t!CAP_EFFECTIVE = $!_CAP_EFFECTIVE;
}
unset $!_CAP_EFFECTIVE;
if strlen($!_CMDLINE) > 0 then {
set $.systemd!t!CMDLINE = $!_CMDLINE;
}
unset $!_CMDLINE;
unset $!cmd;
if strlen($!_COMM) > 0 then {
set $.systemd!t!COMM = $!_COMM;
}
unset $!_COMM;
unset $!appname;
if strlen($!_EXE) > 0 then {
set $.systemd!t!EXE = $!_EXE;
}
unset $!_EXE;
unset $!exe;
if strlen($!_GID) > 0 then {
set $.systemd!t!GID = $!_GID;
}
unset $!_GID;
unset $!gid;
if strlen($!_HOSTNAME) > 0 then {
set $.systemd!t!HOSTNAME = $!_HOSTNAME;
}
unset $!_HOSTNAME;
if strlen($!pid) > 0 then {
# The imjournal normalized _PID to pid in its message properties.
set $.lclpid = $!pid;
} else {
if strlen($!_PID) > 0 then {
set $.lclpid = $!_PID;
} else {
set $.lclpid = "-";
}
}
unset $!_PID;
unset $!pid;
if strlen($.lclpid) > 0 then {
if ($.pid == "-") and ($.lclpid != "-") then {
# We don't have a PID, so use the one we found in the systemd data.
set $.pid = $.lclpid;
} else {
if ($.pid != $.lclpid) then {
# We have a PID, but the systemd's PID is different, so be
# sure to save it.
set $.systemd!t!PID = $.lclpid;
}
}
}
if strlen($!_SELINUX_CONTEXT) > 0 then {
set $.systemd!t!SELINUX_CONTEXT = $!_SELINUX_CONTEXT;
}
unset $!_SELINUX_CONTEXT;
if strlen($!_SOURCE_REALTIME_TIMESTAMP) > 0 then {
set $.systemd!t!SOURCE_REALTIME_TIMESTAMP = $!_SOURCE_REALTIME_TIMESTAMP;
}
unset $!_SOURCE_REALTIME_TIMESTAMP;
if strlen($!_SYSTEMD_CGROUP) > 0 then {
set $.systemd!t!SYSTEMD_CGROUP = $!_SYSTEMD_CGROUP;
}
unset $!_SYSTEMD_CGROUP;
if strlen($!_SYSTEMD_OWNER_UID) > 0 then {
set $.systemd!t!SYSTEMD_OWNER_UID = $!_SYSTEMD_OWNER_UID;
}
unset $!_SYSTEMD_OWNER_UID;
if strlen($!_SYSTEMD_SESSION) > 0 then {
set $.systemd!t!SYSTEMD_SESSION = $!_SYSTEMD_SESSION;
}
unset $!_SYSTEMD_SESSION;
if strlen($!_SYSTEMD_SLICE) > 0 then {
set $.systemd!t!SYSTEMD_SLICE = $!_SYSTEMD_SLICE;
}
unset $!_SYSTEMD_SLICE;
if strlen($!_SYSTEMD_UNIT) > 0 then {
set $.systemd!t!SYSTEMD_UNIT = $!_SYSTEMD_UNIT;
}
unset $!_SYSTEMD_UNIT;
if strlen($!_SYSTEMD_USER_UNIT) > 0 then {
set $.systemd!t!SYSTEMD_USER_UNIT = $!_SYSTEMD_USER_UNIT;
}
unset $!_SYSTEMD_USER_UNIT;
if strlen($!_TRANSPORT) > 0 then {
set $.systemd!t!TRANSPORT = $!_TRANSPORT;
}
unset $!_TRANSPORT;
if strlen($!_UID) > 0 then {
set $.systemd!t!UID = $!_UID;
}
unset $!_UID;
unset $!uid;
# Pull out the systemd "kernel" journal fields...
if strlen($!_KERNEL_DEVICE) > 0 then {
set $.systemd!k!KERNEL_DEVICE = $!_KERNEL_DEVICE;
}
unset $!_KERNEL_DEVICE;
if strlen($!_KERNEL_SUBSYSTEM) > 0 then {
set $.systemd!k!KERNEL_SUBSYSTEM = $!_KERNEL_SUBSYSTEM;
}
unset $!_KERNEL_SUBSYSTEM;
if strlen($!_UDEV_SYSNAME) > 0 then {
set $.systemd!k!UDEV_SYSNAME = $!_UDEV_SYSNAME;
}
unset $!_UDEV_SYSNAME;
if strlen($!_UDEV_DEVNODE) > 0 then {
set $.systemd!k!UDEV_DEVNODE = $!_UDEV_DEVNODE;
}
unset $!_UDEV_DEVNODE;
if strlen($!_UDEV_DEVLINK) > 0 then {
set $.systemd!k!UDEV_DEVLINK = $!_UDEV_DEVLINK;
}
unset $!_UDEV_DEVLINK;
} else {
# Because of how we have defined the template above, where the template
# encodes the field name directly, we need to have an empty object for
# $.systemd so that at least an empty set of braces ("{}") is emitted.
# Without that, we don't have a valid JSON document to index.
#
# So to get that empty object whether or not we actually have systemd
# data to normalize we need to create an object hierarchy and then remove
# the leaf property.
set $.systemd!foo = "bar";
unset $.systemd!foo;
}
{% else %}
set $!browbeat_json = $.browbeat_json;
{% endif %}
View Git Blame Copy Permalink