[rsyslog] about "Property Replacer"!!

Rainer Gerhards rgerhards at hq.adiscon.com
Wed May 13 14:29:55 CEST 2009 

Can it be that your database column has a max size of 20 characters and this
is the source of truncation?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of liangjun
> Sent: Wednesday, May 13, 2009 2:25 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] about "Property Replacer"!!
> 
> %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
> "DROP_url_www.sina.com.cn:IN=eth1" , and i do some another test and i find
> %msg:F,32:2% always is 20 characters!
> 
> 
> 
> # rsyslogd -v
> rsyslogd 3.22.0, compiled with:
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: Yes
> FEATURE_NETZIP (message compression): Yes
> GSSAPI Kerberos 5 support: No
> FEATURE_DEBUG (debug build, slow code): No
> Atomic operations supported: Yes
> Runtime Instrumentation (slow code): No
> 
> 
> /etc/rsyslog.conf
> ---------------------------------------------------------------
> $ModLoad ommysql # To use the database functionality, MySQL must be
> enabled in the config file BEFORE the first database table action is used.
> $ModLoad immark.so # provides --MARK-- message capability
> $ModLoad imuxsock # provides support for local system logging
> $ModLoad imklog # provides kernel logging support (previously done by
> rklogd)
> #$ModLoad immark # provides --MARK-- message capability
> 
> 
> $ModLoad imudp
> $UDPServerRun 514
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> 
> #
> # Set the default permissions for all log files.
> #
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> 
> #
> # Include all config files in /etc/rsyslog.d/
> #
> $IncludeConfig /etc/rsyslog.d/*.conf
> 
> 
> ###############
> #### RULES ####
> ###############
> #
> # First some standard log files. Log by facility.
> #
> auth,authpriv.* /var/log/auth.log
> *.*;auth,authpriv.none -/var/log/syslog
> #cron.* /var/log/cron.log
> daemon.* -/var/log/daemon.log
> kern.* -/var/log/kern.log
> lpr.* -/var/log/lpr.log
> mail.* -/var/log/mail.log
> user.* -/var/log/user.log
> 
> #
> # Logging for the mail system. Split it up so that
> # it is easy to write scripts to parse these files.
> #
> mail.info -/var/log/mail.info
> mail.warn -/var/log/mail.warn
> mail.err /var/log/mail.err
> 
> #
> # Logging for INN news system.
> #
> news.crit /var/log/news/news.crit
> news.err /var/log/news/news.err
> news.notice -/var/log/news/news.notice
> 
> *.=debug;\
> auth,authpriv.none;\
> news.none;mail.none -/var/log/debug
> *.=info;*.=notice;*.=warn;\
> auth,authpriv.none;\
> cron,daemon.none;\
> mail,news.none -/var/log/messages
> 
> #
> # Emergencies are sent to everybody logged in.
> #
> *.emerg *
> 
> #
> # I like to have messages displayed on the console, but only on a virtual
> # console I usually leave idle.
> #
> #daemon,mail.*;\
> # news.=crit;news.=err;news.=notice;\
> # *.=debug;*.=info;\
> # *.=notice;*.=warn /dev/tty8
> 
> # The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
> # you must invoke `xconsole' with the `-file' option:
> #
> # $ xconsole -file /dev/xconsole [...]
> #
> # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
> # busy site..
> #
> daemon.*;mail.*;\
> news.err;\
> *.=debug;*.=info;\
> *.=notice;*.=warn |/dev/xconsole
>
-----------------------------------------------------------------------------
-
> ------------------------------------
> 
> /etc/rsyslog.d/iptables.conf
>
-----------------------------------------------------------------------------
-
> ------------------------------------
> $template ipt_msg_parse_with_orig, "insert into ipteventsbig (msg,
> hostname, fromhost, fromhost_ip, syslogtag, pri, pri_text, iut,
> syslogfacility, syslogfacility_text, syslogseverity,
> syslogseverity_text, timegenerated, timereported, MSGTIME, EVENT_TYPE,
> IN_IF, OUT_IF, MAC, SRC, DST, LEN, TOS, PREC, TTL, PROTO, SPT, DPT, SYN,
> ACK, RST) values ('%msg%', '%hostname%', '%fromhost%', '%fromhost-ip%',
> '%syslogtag%', '%pri%', '%pri-text%', '%iut%', '%syslogfacility%',
> '%syslogfacility-text%', '%syslogseverity%', '%syslogseverity-text%',
> '%timegenerated%', '%timereported%',
> '%msg:R,ERE,1,BLANK,0:\[([0-9]+\.[0-9]+)\]--end%', '%msg:F,32:2%',
> '%msg:R,ERE,1,BLANK,0:IN=([0-9a-z]+)--end%',
> '%msg:R,ERE,1,BLANK,0:OUT=([0-9a-z]+)--end%',
> '%msg:R,ERE,1,BLANK,0:MAC=([0-9a-f\:]+)--end%',
> '%msg:R,ERE,1,BLANK,0:SRC=([0-9\.]+)--end%',
> '%msg:R,ERE,1,BLANK,0:DST=([0-9\.]+)--end%',
> '%msg:R,ERE,1,BLANK,0:LEN=([0-9]+)--end%',
> '%msg:R,ERE,1,BLANK,0:TOS=(0x[0-9a-f]+)--end%',
> '%msg:R,ERE,1,BLANK,0:PREC=(0x[0-9a-f]+)--end%',
> '%msg:R,ERE,1,BLANK,0:TTL=([0-9]+)--end%',
> '%msg:R,ERE,1,BLANK,0:PROTO=([0-9a-zA-Z]+)--end%',
> '%msg:R,ERE,1,BLANK,0:SPT=([0-9]+)--end%',
> '%msg:R,ERE,1,BLANK,0:DPT=([0-9]+)--end%', '%msg:R,ERE,1,BLANK,0: (S)YN
> --end%', '%msg:R,ERE,1,BLANK,0: (A)CK --end%', '%msg:R,ERE,1,BLANK,0:
> (R)ST --end%' );\r\n", SQL
> if $msg contains 'IN=' and $msg contains 'OUT=' and $msg contains 'SRC='
> and $msg contains 'DST=' and $msg contains 'PROTO=' then
> :ommysql:127.0.0.1,rsyslogdb,root,123456;ipt_msg_parse_with_orig
>
-----------------------------------------------------------------------------
-
> ------------------------------------------------
> > I have just checked, but I do not see this issue. Can you please post
your
> > complete configuration file. Also, please let me know which version of
> > rsyslog you are using. And if it is not the latest of the branch you are
> > using, please upgrade to that.
> >
> > Thanks,
> > Rainer
> >
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> >> Sent: Wednesday, May 13, 2009 1:54 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] about "Property Replacer"!!
> >>
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>> bounces at lists.adiscon.com] On Behalf Of liangjun
> >>> Sent: Wednesday, May 13, 2009 1:09 PM
> >>> To: rsyslog-users
> >>> Subject: Re: [rsyslog] about "Property Replacer"!!
> >>>
> >>> thank you reply!
> >>> yes., you are right.
> >>> but %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
> >>> "DROP_url_www.sina.com.cn:IN=eth1" . why?
> >>>
> >> Oh, I had overlooked this. Sounds like a bug, let me check...
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list