[rsyslog] about "Property Replacer"!!

Rainer Gerhards rgerhards at hq.adiscon.com
Wed May 13 14:38:13 CEST 2009 

No problem at all! The good thing is that the rsyslog testbench has now grown
by one more test case for a not-yet-covered case, which is really useful :)

Rainer


> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of liangjun
> Sent: Wednesday, May 13, 2009 2:36 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] about "Property Replacer"!!
> 
> i m sorry! you are right !this is a low-level error!
> 
> thank you reply !
> 
> Best Regards!
> > Can it be that your database column has a max size of 20 characters and
this
> > is the source of truncation?
> >
> > Rainer
> >
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >> bounces at lists.adiscon.com] On Behalf Of liangjun
> >> Sent: Wednesday, May 13, 2009 2:25 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] about "Property Replacer"!!
> >>
> >> %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
> >> "DROP_url_www.sina.com.cn:IN=eth1" , and i do some another test and i
find
> >> %msg:F,32:2% always is 20 characters!
> >>
> >>
> >>
> >> # rsyslogd -v
> >> rsyslogd 3.22.0, compiled with:
> >> FEATURE_REGEXP: Yes
> >> FEATURE_LARGEFILE: Yes
> >> FEATURE_NETZIP (message compression): Yes
> >> GSSAPI Kerberos 5 support: No
> >> FEATURE_DEBUG (debug build, slow code): No
> >> Atomic operations supported: Yes
> >> Runtime Instrumentation (slow code): No
> >>
> >>
> >> /etc/rsyslog.conf
> >> ---------------------------------------------------------------
> >> $ModLoad ommysql # To use the database functionality, MySQL must be
> >> enabled in the config file BEFORE the first database table action is
used.
> >> $ModLoad immark.so # provides --MARK-- message capability
> >> $ModLoad imuxsock # provides support for local system logging
> >> $ModLoad imklog # provides kernel logging support (previously done by
> >> rklogd)
> >> #$ModLoad immark # provides --MARK-- message capability
> >>
> >>
> >> $ModLoad imudp
> >> $UDPServerRun 514
> >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >>
> >> #
> >> # Set the default permissions for all log files.
> >> #
> >> $FileOwner root
> >> $FileGroup adm
> >> $FileCreateMode 0640
> >> $DirCreateMode 0755
> >>
> >> #
> >> # Include all config files in /etc/rsyslog.d/
> >> #
> >> $IncludeConfig /etc/rsyslog.d/*.conf
> >>
> >>
> >> ###############
> >> #### RULES ####
> >> ###############
> >> #
> >> # First some standard log files. Log by facility.
> >> #
> >> auth,authpriv.* /var/log/auth.log
> >> *.*;auth,authpriv.none -/var/log/syslog
> >> #cron.* /var/log/cron.log
> >> daemon.* -/var/log/daemon.log
> >> kern.* -/var/log/kern.log
> >> lpr.* -/var/log/lpr.log
> >> mail.* -/var/log/mail.log
> >> user.* -/var/log/user.log
> >>
> >> #
> >> # Logging for the mail system. Split it up so that
> >> # it is easy to write scripts to parse these files.
> >> #
> >> mail.info -/var/log/mail.info
> >> mail.warn -/var/log/mail.warn
> >> mail.err /var/log/mail.err
> >>
> >> #
> >> # Logging for INN news system.
> >> #
> >> news.crit /var/log/news/news.crit
> >> news.err /var/log/news/news.err
> >> news.notice -/var/log/news/news.notice
> >>
> >> *.=debug;¥
> >> auth,authpriv.none;¥
> >> news.none;mail.none -/var/log/debug
> >> *.=info;*.=notice;*.=warn;¥
> >> auth,authpriv.none;¥
> >> cron,daemon.none;¥
> >> mail,news.none -/var/log/messages
> >>
> >> #
> >> # Emergencies are sent to everybody logged in.
> >> #
> >> *.emerg *
> >>
> >> #
> >> # I like to have messages displayed on the console, but only on a
virtual
> >> # console I usually leave idle.
> >> #
> >> #daemon,mail.*;¥
> >> # news.=crit;news.=err;news.=notice;¥
> >> # *.=debug;*.=info;¥
> >> # *.=notice;*.=warn /dev/tty8
> >>
> >> # The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
> >> # you must invoke `xconsole' with the `-file' option:
> >> #
> >> # $ xconsole -file /dev/xconsole [...]
> >> #
> >> # NOTE: adjust the list below, or you'll go crazy if you have a
reasonably
> >> # busy site..
> >> #
> >> daemon.*;mail.*;¥
> >> news.err;¥
> >> *.=debug;*.=info;¥
> >> *.=notice;*.=warn |/dev/xconsole
> >>
> >>
> >
----------------------------------------------------------------------------
> -
> > -
> >
> >> ------------------------------------
> >>
> >> /etc/rsyslog.d/iptables.conf
> >>
> >>
> >
----------------------------------------------------------------------------
> -
> > -
> >
> >> ------------------------------------
> >> $template ipt_msg_parse_with_orig, "insert into ipteventsbig (msg,
> >> hostname, fromhost, fromhost_ip, syslogtag, pri, pri_text, iut,
> >> syslogfacility, syslogfacility_text, syslogseverity,
> >> syslogseverity_text, timegenerated, timereported, MSGTIME, EVENT_TYPE,
> >> IN_IF, OUT_IF, MAC, SRC, DST, LEN, TOS, PREC, TTL, PROTO, SPT, DPT, SYN,
> >> ACK, RST) values ('%msg%', '%hostname%', '%fromhost%', '%fromhost-ip%',
> >> '%syslogtag%', '%pri%', '%pri-text%', '%iut%', '%syslogfacility%',
> >> '%syslogfacility-text%', '%syslogseverity%', '%syslogseverity-text%',
> >> '%timegenerated%', '%timereported%',
> >> '%msg:R,ERE,1,BLANK,0:¥[([0-9]+¥.[0-9]+)¥]--end%', '%msg:F,32:2%',
> >> '%msg:R,ERE,1,BLANK,0:IN=([0-9a-z]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:OUT=([0-9a-z]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:MAC=([0-9a-f¥:]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:SRC=([0-9¥.]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:DST=([0-9¥.]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:LEN=([0-9]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:TOS=(0x[0-9a-f]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:PREC=(0x[0-9a-f]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:TTL=([0-9]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:PROTO=([0-9a-zA-Z]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:SPT=([0-9]+)--end%',
> >> '%msg:R,ERE,1,BLANK,0:DPT=([0-9]+)--end%', '%msg:R,ERE,1,BLANK,0: (S)YN
> >> --end%', '%msg:R,ERE,1,BLANK,0: (A)CK --end%', '%msg:R,ERE,1,BLANK,0:
> >> (R)ST --end%' );¥r¥n", SQL
> >> if $msg contains 'IN=' and $msg contains 'OUT=' and $msg contains 'SRC='
> >> and $msg contains 'DST=' and $msg contains 'PROTO=' then
> >> :ommysql:127.0.0.1,rsyslogdb,root,123456;ipt_msg_parse_with_orig
> >>
> >>
> >
----------------------------------------------------------------------------
> -
> > -
> >
> >> ------------------------------------------------
> >>
> >>> I have just checked, but I do not see this issue. Can you please post
> >>>
> > your
> >
> >>> complete configuration file. Also, please let me know which version of
> >>> rsyslog you are using. And if it is not the latest of the branch you
are
> >>> using, please upgrade to that.
> >>>
> >>> Thanks,
> >>> Rainer
> >>>
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> >>>> Sent: Wednesday, May 13, 2009 1:54 PM
> >>>> To: rsyslog-users
> >>>> Subject: Re: [rsyslog] about "Property Replacer"!!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>>>> bounces at lists.adiscon.com] On Behalf Of liangjun
> >>>>> Sent: Wednesday, May 13, 2009 1:09 PM
> >>>>> To: rsyslog-users
> >>>>> Subject: Re: [rsyslog] about "Property Replacer"!!
> >>>>>
> >>>>> thank you reply!
> >>>>> yes., you are right.
> >>>>> but %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
> >>>>> "DROP_url_www.sina.com.cn:IN=eth1" . why?
> >>>>>
> >>>>>
> >>>> Oh, I had overlooked this. Sounds like a bug, let me check...
> >>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com
> >>>>
> >>>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com
> >>>
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> 
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

More information about the rsyslog mailing list