<div dir="ltr"><div class="gmail_extra">David made me aware of this thread. Sorry for not responding further, I've been very busy and probably overlooked it. More inline...<br></div><div class="gmail_extra"><br><div class="gmail_quote">
On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor <span dir="ltr"><<a href="mailto:Jose.Castillo@ssa.gov" target="_blank">Jose.Castillo@ssa.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<font face="Calibri, sans-serif">
<div>David,</div>
<div> </div>
<div>I modified the template:</div>
<div>template(name="testFormat" type="string" string="%$!all-json%,tag='%$!<font color="#FF0000"><b>mytag</b></font>%'")</div>
<div> </div>
<div>I also modified the rule to include mytag as a tag:</div>
<div>rule=<font color="#FF0000"><b>mytag</b></font>:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside</div>
<div> </div>
<div>And now I getting :</div>
<div>{ "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" },tag=''</div>
<div> </div>
<div>No tags are being written to the output file.</div>
<div> </div>
<div>What am I doing wrong? </div></font></div></blockquote><div><br></div><div>I need to check the code, but I think you are doing everything right. IIRC, tags were meant as classification method for rsyslog's engine (if-stmts). I think outputting them was not at the table when this was written. I am 90% sure, and will try to verify the rest within this week.<br>
</div><div>Rainer <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><font face="Calibri, sans-serif">
<div> </div>
<div>Thanks,</div><span class="HOEnZb"><font color="#888888">
<div> </div>
<div>Jose</div></font></span><div><div class="h5">
<div> </div>
<div>-----Original Message-----<br>
From: <a href="mailto:lognorm-bounces@lists.adiscon.com" target="_blank">lognorm-bounces@lists.adiscon.com</a> [<a href="mailto:lognorm-bounces@lists.adiscon.com" target="_blank">mailto:lognorm-bounces@lists.adiscon.com</a>] On Behalf Of David Lang<br>
Sent: Wednesday, June 26, 2013 3:11 PM<br>
To: lognorm<br>
Subject: Re: [Lognorm] log classification with liblognorm</div>
<div> </div>
<div>the tags are accessed in rsyslog by $!<tag name></div>
<div> </div>
<div>so where you would have done %hostname% you could do %$!mytag%</div>
<div> </div>
<div>David Lang</div>
<div> </div>
<div>On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:</div>
<div> </div>
<div>> Date: Wed, 26 Jun 2013 16:00:06 -0400</div>
<div>> From: "Castillo, Jose Contractor" <<a href="mailto:Jose.Castillo@ssa.gov" target="_blank">Jose.Castillo@ssa.gov</a>></div>
<div>> Reply-To: lognorm <<a href="mailto:lognorm@lists.adiscon.com" target="_blank">lognorm@lists.adiscon.com</a>></div>
<div>> To: "<a href="mailto:lognorm@lists.adiscon.com" target="_blank">lognorm@lists.adiscon.com</a>" <<a href="mailto:lognorm@lists.adiscon.com" target="_blank">lognorm@lists.adiscon.com</a>></div>
<div>> Subject: [Lognorm] log classification with liblognorm</div>
<div>> </div>
<div>> Hello all,</div>
<div>></div>
<div>> I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository:</div>
<div>> rsyslog-mysql-7.4.1-1.el6.x86_64</div>
<div>> rsyslog-mmjsonparse-7.4.1-1.el6.x86_64</div>
<div>> rsyslog-7.4.1-1.el6.x86_64</div>
<div>> rsyslog-mmnormalize-7.4.1-1.el6.x86_64</div>
<div>> rsyslog-udpspoof-7.4.1-1.el6.x86_64</div>
<div>> rsyslog-elasticsearch-7.4.1-1.el6.x86_64</div>
<div>></div>
<div>> I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags.</div>
<div>> <a href="http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht" target="_blank">http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht</a></div>
<div>> ml</div>
<div>></div>
<div>> So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s).</div>
<div>> Is this option supported within rsyslog.conf? Any example how to do it?</div>
<div>></div>
<div>> Below my testing files:</div>
<div>></div>
<div>> =================================================================</div>
<div>> rsyslog.conf file:</div>
<div>> module (load="imudp")</div>
<div>> module (load="mmnormalize")</div>
<div>> module (load="mmjsonparse")</div>
<div>></div>
<div>> input(type="imudp" address="192.168.1.1" port="514" ruleset="test")</div>
<div>></div>
<div>> template(name="testFormat" type="string" string="%$!all-json%\n")</div>
<div>></div>
<div>> ruleset(name="test") {</div>
<div>> action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb")</div>
<div>> action(type="omfile" file="/data/syslog/test-syslog.log" </div>
<div>> template="testFormat") }</div>
<div>></div>
<div>> rulebase.rb file:</div>
<div>> rule=test:%date:word% %host:ipv4% : </div>
<div>> %%ASA-%number0:number%-%number1:number%: Denied ICMP </div>
<div>> type=%number2:number%, code=%number3:number% from %origin:ipv4% on </div>
<div>> interface outside</div>
<div>></div>
<div>> test-syslog.log file:</div>
<div>> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": </div>
<div>> "313001", "number0": "3", "host": "0.0.0.0", "date": </div>
<div>> "2013-06-26T10:47:42+01:00" }</div>
<div>></div>
<div>> Message:</div>
<div>> "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside"</div>
<div>> ======================================================================</div>
<div>></div>
<div>></div>
<div>> Thanks in advance for any help,</div>
<div>></div>
<div>> Jose Castillo</div>
<div>></div>
<div>></div>
<div>></div>
<div>></div>
<div> </div>
</div></div></font>
</div>
<br>_______________________________________________<br>
Lognorm mailing list<br>
<a href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a><br>
<a href="http://lists.adiscon.net/mailman/listinfo/lognorm" target="_blank">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
<br></blockquote></div><br></div></div>