El lun., 22 abr. 2019 a las 11:00, Dmitry Smirnov (<only...@debian.org>) escribió: > > Hi Rainer, > > Thank you sincerely for your excellent work on Rsyslog. > > On Monday, 22 April 2019 6:34:27 PM AEST Rainer Gerhards wrote: > > As upstream maintainer I would be interested in your use case for pmnull. > > I'm not sure if I have a case yet. I'm trying to experiment with centralized > logs processing and forwarding. There are several rsyslogs on various servers > that forward everything (over RELP) to one Rsyslog instance where messages > are processed, converted to JSON and forwarded to Elasticsearch. > > While working with various types of messages originated from various places > (Docker containers, sockets, UDP and TCP listeners) I was trying to find out > the most effective way to process messages and to avoid things like RFC5424 > message inside RFC5424 (from double forwarding a message received by local > rsyslog, then passed to forwarding rsyslog). At some point I tried disabling > all parsers in ruleset to pass unmodified message to forwarding Rsyslog > instance. Unfortunately at that point I've found that "pmnull" is not built > in hence this bug report...
actually, we have the "rawmsg" property. This is the message as it was received. All pmnull does is set "msg" to "rawmsg" (and use "" for many other properties). To forward the original content, you can simply do: template(name="raw" type="string" string="%rawmsg%") action(type="omfwd" target="example.com" template="raw") That's it. I wrote pmnull because some folks thought it would be nice to save 0.05% processing time by not unnecessarily parse the message. I even doubt it's that amount of performance enhancement as the messages need to be populated in any case... Rainer > > -- > All the best, > Dmitry Smirnov. > > --- > > Truth — Something somehow discreditable to someone. > -- H. L. Mencken, 1949
