diff options
Diffstat (limited to 'doc/property_replacer.html')
| -rw-r--r-- | doc/property_replacer.html | 768 |
1 files changed, 0 insertions, 768 deletions
diff --git a/doc/property_replacer.html b/doc/property_replacer.html deleted file mode 100644 index 7218c22..0000000 --- a/doc/property_replacer.html +++ /dev/null @@ -1,768 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>The Rsyslogd Property Replacer</title></head> -<body> -<a href="rsyslog_conf_templates.html">back</a> -<h1>The Property Replacer</h1> -<p><b>The property replacer is a core component in -rsyslogd's output system.</b> A syslog message has a number of -well-defined properties (see below). Each of this properties can be -accessed <b>and</b> manipulated by the property replacer. -With it, it is easy to use only part of a property value or manipulate -the value, e.g. by converting all characters to lower case.</p> -<h1>Accessing Properties</h1> -<p>Syslog message properties are used inside templates. They are -accessed by putting them between percent signs. Properties can be -modified by the property replacer. The full syntax is as follows:</p> -<blockquote><b><code>%propname:fromChar:toChar:options:fieldname%</code></b></blockquote> -<h2>Available Properties</h2> -<p><b><code>propname</code></b> is the -name of the property to access. It is case-insensitive (prior to 3.17.0, they were case-senstive). -Currently supported are:</p> -<table> -<tbody> -<tr> -<td><b>msg</b></td> -<td>the MSG part of the message (aka "the message" ;))</td> -</tr> -<tr> -<td><b>rawmsg</b></td> -<td>the message excactly as it was received from the -socket. Should be useful for debugging.</td> -</tr> -<tr> -<td><b>hostname</b></td> -<td>hostname from the message</td> -</tr> -<tr> -<td><b>source</b></td> -<td>alias for HOSTNAME</td> -</tr> -<tr> -<td><b>fromhost</b></td> -<td>hostname of the system the message was received from -(in a relay chain, this is the system immediately in front of us and -not necessarily the original sender). This is a DNS-resolved name, except -if that is not possible or DNS resolution has been disabled.</td> -</tr> -<tr> -<td><b>fromhost-ip</b></td> -<td>The same as fromhost, but alsways as an IP address. Local inputs -(like imklog) use 127.0.0.1 in this property.</td> -</tr> -<tr> -<td><b>syslogtag</b></td> -<td>TAG from the message</td> -</tr> -<tr> -<td><b>programname</b></td> -<td>the "static" part of the tag, as defined by -BSD syslogd. For example, when TAG is "named[12345]", programname is -"named".</td> -</tr> -<tr> -<td><b>pri</b></td> -<td>PRI part of the message - undecoded (single value)</td> -</tr> -<tr> -<td><b>pri-text</b></td> -<td>the PRI part of the message in textual form (e.g. "syslog.info")</td> -</tr> -<tr> -<td><b>iut</b></td> -<td>the monitorware InfoUnitType - used when talking -to a <a href="http://www.monitorware.com">MonitorWare</a> -backend (also for <a href="http://www.phplogcon.org/">phpLogCon</a>)</td> -</tr> -<tr> -<td><b>syslogfacility</b></td> -<td>the facility from the message - in numerical form</td> -</tr> -<tr> -<td><b>syslogfacility-text</b></td> -<td>the facility from the message - in text form</td> -</tr> -<tr> -<td><b>syslogseverity</b></td> -<td>severity from the message - in numerical form</td> -</tr> -<tr> -<td><b>syslogseverity-text</b></td> -<td>severity from the message - in text form</td> -</tr> -<tr> -<td><b>syslogpriority</b></td> -<td>an alias for syslogseverity - included for historical -reasons (be careful: it still is the severity, not PRI!)</td> -</tr> -<tr> -<td><b>syslogpriority-text</b></td> -<td>an alias for syslogseverity-text</td> -</tr> -<tr> -<td><b>timegenerated</b></td> -<td>timestamp when the message was RECEIVED. Always in high -resolution</td> -</tr> -<tr> -<td><b>timereported</b></td> -<td>timestamp from the message. Resolution depends on -what was provided in the message (in most cases, -only seconds)</td> -</tr> -<tr> -<td><b>timestamp</b></td> -<td>alias for timereported</td> -</tr> -<tr> -<td><b>protocol-version</b></td> -<td>The contents of the PROTCOL-VERSION field from IETF -draft draft-ietf-syslog-protcol</td> -</tr> -<tr> -<td><b>structured-data</b></td> -<td>The contents of the STRUCTURED-DATA field from IETF -draft draft-ietf-syslog-protocol</td> -</tr> -<tr> -<td><b>app-name</b></td> -<td>The contents of the APP-NAME field from IETF draft -draft-ietf-syslog-protocol</td> -</tr> -<tr> -<td><b>procid</b></td> -<td>The contents of the PROCID field from IETF draft -draft-ietf-syslog-protocol</td> -</tr> -<tr> -<td><b>msgid</b></td> -<td>The contents of the MSGID field from -IETF draft draft-ietf-syslog-protocol</td> -</tr> -<tr> -<td><b>parsesuccess</b></td> -<td>This returns the status of the <b>last</b> called higher level parser, -like mmjsonparse. A higher level parser parses the actual message for additional -structured data and maintains an extra property table while doing so (this is -often referred to as "cee data" because the idea was originally rooted in the -cee effort, only (but has been extended since then). Note that higher level -parsers must explicitely support (and set) this property. So, depending on the -parser, it may not be set correctly. -<br>If the parser properly supports it, the value "OK" means that parsing was -successfull, while "FAIL" means the parser could not successfully obtain any data. -Failure state is not necessarily an error. For example, it may simple indicate -that the cee-enhanced syslog parser (mmjsonparse) did not detect cee-enhanced format, -what can be totally valid. Using this property, further processing of the message -can be directed based on this parsing outcome. If no parser has been called at the -time this property is accessed, it will contain "FAIL". -<br><b>This property is available since version 6.3.8.</b> -</td> -</tr> -<td><b>inputname</b></td> -<td>The name of the input module that generated the -message (e.g. "imuxsock", "imudp"). Note that not all modules -necessarily provide this property. If not provided, it is an -empty string. Also note that the input module may provide -any value of its liking. Most importantly, it is <b>not</b> -necessarily the module input name. Internal sources can also -provide inputnames. Currently, "rsyslogd" is defined as inputname -for messages internally generated by rsyslogd, for example startup -and shutdown and error messages. -This property is considered useful when trying to filter messages -based on where they originated - e.g. locally generated messages -("rsyslogd", "imuxsock", "imklog") should go to a different place -than messages generated somewhere. -</td> -</tr> -<tr> -<td><b>$bom</b></td> -<td>The UTF-8 encoded Unicode byte-order mask (BOM). This may be useful -in templates for RFC5424 support, when the character set is know to be -Unicode.</td> -</tr> -<td><b>$uptime</b></td> -<td>system-uptime in seconds (as reported by operating system). -</td> -</tr> -<tr> -<td><b>$now</b></td> -<td>The current date stamp in the format YYYY-MM-DD</td> -</tr> -<tr> -<td><b>$year</b></td> -<td>The current year (4-digit)</td> -</tr> -<tr> -<td><b>$month</b></td> -<td>The current month (2-digit)</td> -</tr> -<tr> -<td><b>$day</b></td> -<td>The current day of the month (2-digit)</td> -</tr> -<tr> -<td><b>$hour</b></td> -<td>The current hour in military (24 hour) time (2-digit)</td> -</tr> -<tr> -<td><b>$hhour</b></td> -<td>The current half hour we are in. From minute 0 to 29, -this is always 0 while -from 30 to 59 it is always 1.</td> -</tr> -<tr> -<td><b>$qhour</b></td> -<td>The current quarter hour we are in. Much like $HHOUR, but values -range from 0 to 3 (for the four quater hours that are in each hour)</td> -</tr> -<tr> -<td><b>$minute</b></td> -<td>The current minute (2-digit)</td> -</tr> -<tr> -<td><b>$myhostname</b></td> -<td>The name of the current host as it knows itself (probably useful -for filtering in a generic way)</td> -</tr> -<tr> -<td><b>$!<name></b></td> -<td>This is the "bridge" to syslog message normalization (via -<a href="mmnormalize.html">mmnormalize</a>): name is a name defined -inside the normalization rule. It has the value selected by the rule -or none if no rule with this field did match. You can also use these -properties to specify JSON fields from the CEE-enhanced syslog -message, once you parse it with <a href="mmjsonparse.html">mmjsonparse</a> -</td> -</tr> -<tr> -<td><b>$!all-json</b></td> -<td>This is the JSON part of the CEE-enhanced syslog message, which -can be parsed with <a href="mmjsonparse.html">mmjsonparse</a> -</td> -</tr> -</tbody> -</table> -<p>Properties starting with a $-sign are so-called system -properties. These do NOT stem from the message but are rather -internally-generated.</p> -<h2>Legacy Character Positions</h2> -<p><b><code>FromChar</code></b> and <b><code>toChar</code></b> -are used to build substrings. They specify the offset within the string -that should be copied. Offset counting starts at 1, so if you need to -obtain the first 2 characters of the message text, you can use this -syntax: "%msg:1:2%". If you do not whish to specify from and to, but -you want to specify options, you still need to include the colons. For -example, if you would like to convert the full message text to lower -case, use "%msg:::lowercase%". If you would like to extract from a -position until the end of the string, you can place a dollar-sign ("$") -in toChar (e.g. %msg:10:$%, which will extract from position 10 to the -end of the string).</p> -<p>There is also support for <b>regular expressions</b>. -To use them, you need to place a "R" into FromChar. This tells rsyslog -that a regular expression instead of position-based extraction is -desired. The actual regular expression must then be provided in toChar. -The regular expression <b>must</b> be followed by the -string "--end". It denotes the end of the regular expression and will -not become part of it. If you are using regular expressions, the -property replacer will return the part of the property text that -matches the regular expression. An example for a property replacer -sequence with a regular expression is: "%msg:R:.*Sev:. \(.*\) -\[.*--end%"</p> -<p>It is possible to specify some parametes after the "R". These are -comma-separated. They are: -<p>R,<regexp-type>,<submatch>,<<a href="rsyslog_conf_nomatch.html">nomatch</a>>,<match-number> -<p>regexp-type is either "BRE" for Posix basic regular expressions or -"ERE" for extended ones. The string must be given in upper case. The -default is "BRE" to be consistent with earlier versions of rsyslog that -did not support ERE. The submatch identifies the submatch to be used -with the result. A single digit is supported. Match 0 is the full match, -while 1 to 9 are the acutal submatches. The match-number identifies which match to -use, if the expression occurs more than once inside the string. Please note -that the first match is number 0, the second 1 and so on. Up to 10 matches -(up to number 9) are supported. Please note that it would be more -natural to have the match-number in front of submatch, but this would break -backward-compatibility. So the match-number must be specified after "nomatch". -<p><a href="rsyslog_conf_nomatch.html">nomatch</a> specifies what should -be used in case no match is found. -<p>The following is a sample of an ERE expression that takes the first -submatch from the message string and replaces the expression with -the full field if no match is found: -<p>%msg:R,ERE,1,FIELD:for (vlan[0-9]*):--end% -<p>and this takes the first submatch of the second match of said expression: -<p>%msg:R,ERE,1,FIELD,1:for (vlan[0-9]*):--end% -<p><b>Please note: there is also a -<a href="http://www.rsyslog.com/tool-regex">rsyslog regular expression checker/generator</a> -online tool available.</b> With that tool, you can check your regular expressions and -also generate a valid property replacer sequence. Usage of this tool is recommended. -Depending on the version offered, the tool may not cover all subleties that can -be done with the property replacer. It concentrates on the most often used cases. So it -is still useful to hand-craft expressions for demanding environments. -<p><b>Also, extraction can be done based on so-called -"fields"</b>. To do so, place a "F" into FromChar. A field in its -current definition is anything that is delimited by a delimiter -character. The delimiter by default is TAB (US-ASCII value 9). However, -if can be changed to any other US-ASCII character by specifying a comma -and the <b>decimal</b> US-ASCII value of the delimiter -immediately after the "F". For example, to use comma (",") as a -delimiter, use this field specifier: "F,44". If your syslog -data is delimited, this is a quicker way to extract than via regular -expressions (actually, a *much* quicker way). Field counting starts at -1. Field zero is accepted, but will always lead to a "field not found" -error. The same happens if a field number higher than the number of -fields in the property is requested. The field number must be placed in -the "ToChar" parameter. An example where the 3rd field (delimited by -TAB) from the msg property is extracted is as follows: "%msg:F:3%". The -same example with semicolon as delimiter is "%msg:F,59:3%".</p> -<p>Please note that the special characters "F" and "R" are -case-sensitive. Only upper case works, lower case will return an error. -There are no white spaces permitted inside the sequence (that will lead -to error messages and will NOT provide the intended result).</p> -<p>Each occurence of the field delimiter starts a new field. However, -if you add a plus sign ("+") after the field delimiter, multiple -delimiters, one immediately after the others, are treated as separate -fields. This can be useful in cases where the syslog message contains -such sequences. A frequent case may be with code that is written as -follows:</p> -<code><pre> -int n, m; -... -syslog(LOG_ERR, "%d test %6d", n, m); -</pre></code> -<p>This will result into things like this in syslog messages: -"1 test 2", -"1 test 23", -"1 test 234567" -<p>As you can see, the fields are delimited by space characters, but -their exact number is unknown. They can properly be extracted as follows: -<p> -"%msg:F,32:2%" to "%msg:F,32+:2%". -<p>This feature was suggested by Zhuang Yuyao and implemented by him. -It is modeled after perl compatible regular expressions. -</p> - -<h2>Property Options</h2> -<b><code>property options</code></b> are -case-insensitive. They are available as of version 6.5.0. -Currently, the following options are defined: -<p></p> -<table> -<tbody> -<tr> -<td><b>Name</b></td> -<td>New format. Name of the template / property / constant.</td> -</tr> -<tr> -<td><b>Outname</b></td> -<td>This field permits to specify a field name for structured-data emitting property replacer options. -It is most useful to set, for example, the name for JSON-based fields (like used in ommngodb). For -text-based modules, it is simply ignored. -If not specified, the original property name is used, with the exception of properties starting with -"$!", where that prefix is removed. Note that unnamaned constants are NOT forwarded to output modules -that expect structure (like ommnogodb). To pass constants, an outname must be set. -</tr> -<tr> -<td><b>CaseConversion</b></td> -<td>New format. Additional values below.</td> -</tr> -<tr> -<td>upper</td> -<td>convert property to lowercase only</td> -</tr> -<tr> -<td>lower</td> -<td>convert property text to uppercase only</td> -</tr> -<tr> -<td><b>DateFormat</b></td> -<td>New format, additional parameter is needed. See below.</td> -</tr> -<tr> -<td>mysql</td> -<td>format as mysql date</td> -</tr> -<tr> -<td>pgsql</td> -<td>format as pgsql date</td> -</tr> -<tr> -<td>rfc3164</td> -<td>format as RFC 3164 date</td> -</tr> -<tr> -<tr> -<td valign="top">rfc3164-buggyday</td> -<td>similar to date-rfc3164, but emulates a common coding error: RFC 3164 demands -that a space is written for single-digit days. With this option, a zero is -written instead. This format seems to be used by syslog-ng and the -date-rfc3164-buggyday option can be used in migration scenarios where otherwise -lots of scripts would need to be adjusted. It is recommended <i>not</i> to use this -option when forwarding to remote hosts - they may treat the date as invalid -(especially when parsing strictly according to RFC 3164).</td> -<br><i>This feature was introduced in rsyslog 4.6.2 and v4 versions above and -5.5.3 and all versions above.</i> -</tr> -<tr> -<td>rfc3339</td> -<td>format as RFC 3339 date</td> -</tr> -<tr> -<td>unixtimestamp</td> -<td>format as unix timestamp (seconds since epoch)</td> -</tr> -<tr> -<td>subseconds</td> -<td>just the subseconds of a timestamp (always 0 for a low precision timestamp)</td> -</tr> -<tr> -<td>pos-end-relative</td> - <td>the from and to position is relative to the end of the string - instead of the usual start of string. (available since rsyslog v7.3.10) - </td> -</tr> -<tr> -<td><b>ControlCharacters</b></td> -<td>Option values for how to process control characters</td> -</tr> -<tr> -<td valign="top">escape</td> -<td>replace control characters (ASCII value 127 and values -less then 32) with an escape sequence. The sequnce is -"#<charval>" where charval is the 3-digit decimal value -of the control character. For example, a tabulator would be replaced by -"#009".<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td valign="top">space</td> -<td>replace control characters by spaces<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td valign="top">drop</td> -<td>drop control characters - the resulting string will -neither contain control characters, escape sequences nor any other -replacement character like space.<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td><b>SecurePath</b></td> -<td>Option values for securing path templates.</td> -</tr> -<tr> -<td valign="top">drop</td> -<td>Drops slashes inside the field (e.g. "a/b" becomes "ab"). -Useful for secure pathname generation (with dynafiles). -</td> -</tr> -<tr> -<td valign="top">replace</td> -<td>Replace slashes inside the field by an underscore. (e.g. "a/b" becomes "a_b"). -Useful for secure pathname generation (with dynafiles). -</td> -</tr> -<tr> -<td><b>Format</b></td> -<td>Option values for the general output format.</td> -</tr> -<tr> -<td>json</td> -<td>encode the value so that it can be used inside a JSON field. This means -that several characters (according to the JSON spec) are being escaped, for -example US-ASCII LF is replaced by "\n". -The json option cannot be used together with either jsonf or csv options. -</td> -</tr> -<tr> -<td>jsonf</td> -<td><i>(available in 6.3.9+)</i> -This signifies that the property should be expressed as a json <b>f</b>ield. -That means not only the property is written, but rather a complete json field in -the format<br> -"fieldname"="value"</b> -where "filedname" is the assigend field name (or the property name if none was assigned) -and value is the end result of property replacer operation. Note that value supports -all property replacer options, like substrings, case converson and the like. -Values are properly json-escaped. However, field names are (currently) not. It is -expected that proper field names are configured. -The jsonf option cannot be used together with either json or csv options. -</td> -</tr> -<tr> -<td valign="top">csv</td> -<td>formats the resulting field (after all modifications) in CSV format -as specified in <a href="http://www.ietf.org/rfc/rfc4180.txt">RFC 4180</a>. -Rsyslog will always use double quotes. Note that in order to have full CSV-formatted -text, you need to define a proper template. An example is this one: -<br>$template csvline,"%syslogtag:::csv%,%msg:::csv%" -<br>Most importantly, you need to provide the commas between the fields -inside the template. -The csv option cannot be used together with either json or jsonf options. -<br><i>This feature was introduced in rsyslog 4.1.6.</i> -</td> -</tr> -<tr> -<td><b>droplastlf</b></td> -<td>The last LF in the message (if any), is dropped. -Especially useful for PIX.</td> -</tr> -<tr> -<td valign="top"><b>spifno1stsp</b></td> -<td>This option looks scary and should probably not be used by a user. For any field -given, it returns either a single space character or no character at all. Field content -is never returned. A space is returned if (and only if) the first character of the -field's content is NOT a space. This option is kind of a hack to solve a problem rooted -in RFC 3164: 3164 specifies no delimiter between the syslog tag sequence and the actual -message text. Almost all implementation in fact delemit the two by a space. As of -RFC 3164, this space is part of the message text itself. This leads to a problem when -building the message (e.g. when writing to disk or forwarding). Should a delimiting -space be included if the message does not start with one? If not, the tag is immediately -followed by another non-space character, which can lead some log parsers to misinterpret -what is the tag and what the message. The problem finally surfaced when the klog module -was restructured and the tag correctly written. It exists with other message sources, -too. The solution was the introduction of this special property replacer option. Now, -the default template can contain a conditional space, which exists only if the -message does not start with one. While this does not solve all issues, it should -work good enough in the far majority of all cases. If you read this text and have -no idea of what it is talking about - relax: this is a good indication you will never -need this option. Simply forget about it ;) -</td> -</tr> -<tr> -<td></td> -<td></td> -</tr> -<tr> -<td><b>New character position</b></td> -<td>In addition to the above mentioned Character Positions in the legacy format, -positions can be determined by specifying the correct options for the properties. -Again, this is mostly for using the list format.</td> -</tr> -<tr> -<td>position.From</td> -<td>Character position in the property to start from.</td> -</tr> -<tr> -<td>position.To</td> -<td>Character position that determines the end for extraction. If the value is "$" -then the end of the string will be used.</td> -</tr> -<tr> -<td>field.Number</td> -<td>The number of the field, which should be used for the search operation with Regex.</td> -</tr> -<tr> -<td>field.Delimiter</td> -<td>The Character that should delimit a field. Example: ",". Everything in a -property until this character is considered a field.</td> -</tr> -<tr> -<td>regex.Expression</td> -<td>Value to be compared to property.</td> -</tr> -<tr> -<td>regex.Type</td> -<td>Values BRE or ERE</td> -</tr> -<tr> -<td>regex.NoMatchMode</td> -<td>DFLT, BLANK, ZERO, FIELD</td> -</tr> -<tr> -<td>regex.Match</td> -<td>Match to use.</td> -</tr> -<tr> -<td>regex.Submatch</td> -<td>Submatch to use. Values 0-9 whereas 0 = All</td> -</tr> -</tbody> -</table> - - - -<h2>Legacy Property Options</h2> -<b><code>property options</code></b> are -case-insensitive. Currently, the following options are defined: -<p></p> -<table> -<tbody> -<tr> -<td><b>uppercase</b></td> -<td>convert property to lowercase only</td> -</tr> -<tr> -<td><b>lowercase</b></td> -<td>convert property text to uppercase only</td> -</tr> -<tr> -<td><b>json</b></td> -<td>encode the value so that it can be used inside a JSON field. This means -that several characters (according to the JSON spec) are being escaped, for -example US-ASCII LF is replaced by "\n". -The json option cannot be used together with either jsonf or csv options. -</td> -</tr> -<tr> -<td><b>jsonf</b></td> -<td><i>(available in 6.3.9+)</i> -This signifies that the property should be expressed as a json <b>f</b>ield. -That means not only the property is written, but rather a complete json field in -the format<br> -"fieldname"="value"</b> -where "filedname" is the assigend field name (or the property name if none was assigned) -and value is the end result of property replacer operation. Note that value supports -all property replacer options, like substrings, case converson and the like. -Values are properly json-escaped. However, field names are (currently) not. It is -expected that proper field names are configured. -The jsonf option cannot be used together with either json or csv options. -</td> -</tr> -<tr> -<td valign="top"><b>csv</b></td> -<td>formats the resulting field (after all modifications) in CSV format -as specified in <a href="http://www.ietf.org/rfc/rfc4180.txt">RFC 4180</a>. -Rsyslog will always use double quotes. Note that in order to have full CSV-formatted -text, you need to define a proper template. An example is this one: -<br>$template csvline,"%syslogtag:::csv%,%msg:::csv%" -<br>Most importantly, you need to provide the commas between the fields -inside the template. -The csv option cannot be used together with either json or jsonf options. -<br><i>This feature was introduced in rsyslog 4.1.6.</i> -</td> -</tr> -<tr> -<td><b>drop-last-lf</b></td> -<td>The last LF in the message (if any), is dropped. -Especially useful for PIX.</td> -</tr> -<tr> -<td><b>date-mysql</b></td> -<td>format as mysql date</td> -</tr> -<tr> -<td><b>date-rfc3164</b></td> -<td>format as RFC 3164 date</td> -</tr> -<tr> -<tr> -<td valign="top"><b>date-rfc3164-buggyday</b></td> -<td>similar to date-rfc3164, but emulates a common coding error: RFC 3164 demands -that a space is written for single-digit days. With this option, a zero is -written instead. This format seems to be used by syslog-ng and the -date-rfc3164-buggyday option can be used in migration scenarios where otherwise -lots of scripts would need to be adjusted. It is recommended <i>not</i> to use this -option when forwarding to remote hosts - they may treat the date as invalid -(especially when parsing strictly according to RFC 3164).</td> -<br><i>This feature was introduced in rsyslog 4.6.2 and v4 versions above and -5.5.3 and all versions above.</i> -</tr> -<tr> -<td><b>date-rfc3339</b></td> -<td>format as RFC 3339 date</td> -</tr> -<tr> -<td><b>date-unixtimestamp</b></td> -<td>format as unix timestamp (seconds since epoch)</td> -</tr> -<tr> -<td><b>date-subseconds</b></td> -<td>just the subseconds of a timestamp (always 0 for a low precision timestamp)</td> -</tr> -<tr> -<td valign="top"><b>escape-cc</b></td> -<td>replace control characters (ASCII value 127 and values -less then 32) with an escape sequence. The sequnce is -"#<charval>" where charval is the 3-digit decimal value -of the control character. For example, a tabulator would be replaced by -"#009".<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td valign="top"><b>space-cc</b></td> -<td>replace control characters by spaces<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td valign="top"><b>drop-cc</b></td> -<td>drop control characters - the resulting string will -neither contain control characters, escape sequences nor any other -replacement character like space.<br> -Note: using this option requires that <a href="rsconf1_escapecontrolcharactersonreceive.html">$EscapeControlCharactersOnReceive</a> -is set to off.</td> -</tr> -<tr> -<td valign="top"><b>sp-if-no-1st-sp</b></td> -<td>This option looks scary and should probably not be used by a user. For any field -given, it returns either a single space character or no character at all. Field content -is never returned. A space is returned if (and only if) the first character of the -field's content is NOT a space. This option is kind of a hack to solve a problem rooted -in RFC 3164: 3164 specifies no delimiter between the syslog tag sequence and the actual -message text. Almost all implementation in fact delemit the two by a space. As of -RFC 3164, this space is part of the message text itself. This leads to a problem when -building the message (e.g. when writing to disk or forwarding). Should a delimiting -space be included if the message does not start with one? If not, the tag is immediately -followed by another non-space character, which can lead some log parsers to misinterpret -what is the tag and what the message. The problem finally surfaced when the klog module -was restructured and the tag correctly written. It exists with other message sources, -too. The solution was the introduction of this special property replacer option. Now, -the default template can contain a conditional space, which exists only if the -message does not start with one. While this does not solve all issues, it should -work good enough in the far majority of all cases. If you read this text and have -no idea of what it is talking about - relax: this is a good indication you will never -need this option. Simply forget about it ;) -</td> -</tr> -<tr> -<td valign="top"><b>secpath-drop</b></td> -<td>Drops slashes inside the field (e.g. "a/b" becomes "ab"). -Useful for secure pathname generation (with dynafiles). -</td> -</tr> -<tr> -<td valign="top"><b>secpath-replace</b></td> -<td>Replace slashes inside the field by an underscore. (e.g. "a/b" becomes "a_b"). -Useful for secure pathname generation (with dynafiles). -</td> -</tr> -<tr> -<td><b>mandatory-field</b></td> -<td>In templates that are used for building field lists (in particular, ommongodb), include -this field, even if it is empty (or NULL). If not set, the field will be removed from -the output field set if empty. The latter is the default case. -</tr> -</tbody> -</table> -<p>To use multiple options, simply place them one after each other with a comma delmimiting -them. For example "escape-cc,sp-if-no-1st-sp". If you use conflicting options together, -the last one will override the previous one. For example, using "escape-cc,drop-cc" will -use drop-cc and "drop-cc,escape-cc" will use escape-cc mode. -<h2>Fieldname</h2> -<p><i>(available in 6.3.9+)</i> -<p>This field permits to specify a field name for structured-data emitting property replacer -options. It was initially introduced to support the "jsonf" option, for which it provides -the capability to set an alternative field name. If it is not specified, it defaults to -the property name. -<b>See also</b> -<ul> -<li>Article on "<a href="rsyslog_recording_pri.html">Recording -the Priority of Syslog Messages</a>" (describes use of templates -to record severity and facility of a message)</li> -<li><a href="rsyslog_conf.html">Configuration file -format</a>, this is where you actually use the property replacer.</li> -<li><a href="http://www.rsyslog.com/what-is-the-difference-between-timereported-and-timegenerated/"> -Difference between timereported and timegenerated.</li> -</ul> -<p>[<a href="manual.html">manual index</a>] -[<a href="rsyslog_conf.html">rsyslog.conf</a>] -[<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> -<p><font size="2">This documentation is part of the -<a href="http://www.rsyslog.com/">rsyslog</a> project.<br> -Copyright © 2008, 2009 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and -<a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL -version 2 or higher.</font></p> - -</body></html> |