[rsyslog] about "Property Replacer"!!
liangjun
liangjun at osslab.org
Wed May 13 14:24:45 CEST 2009
%msg:F,32:2% is "DROP_url_www.sina.co" ,is not
"DROP_url_www.sina.com.cn:IN=eth1" , and i do some another test and i find %msg:F,32:2% always is 20 characters!
# rsyslogd -v
rsyslogd 3.22.0, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: Yes
FEATURE_NETZIP (message compression): Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
/etc/rsyslog.conf
---------------------------------------------------------------
$ModLoad ommysql # To use the database functionality, MySQL must be
enabled in the config file BEFORE the first database table action is used.
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
------------------------------------------------------------------------------------------------------------------
/etc/rsyslog.d/iptables.conf
------------------------------------------------------------------------------------------------------------------
$template ipt_msg_parse_with_orig, "insert into ipteventsbig (msg,
hostname, fromhost, fromhost_ip, syslogtag, pri, pri_text, iut,
syslogfacility, syslogfacility_text, syslogseverity,
syslogseverity_text, timegenerated, timereported, MSGTIME, EVENT_TYPE,
IN_IF, OUT_IF, MAC, SRC, DST, LEN, TOS, PREC, TTL, PROTO, SPT, DPT, SYN,
ACK, RST) values ('%msg%', '%hostname%', '%fromhost%', '%fromhost-ip%',
'%syslogtag%', '%pri%', '%pri-text%', '%iut%', '%syslogfacility%',
'%syslogfacility-text%', '%syslogseverity%', '%syslogseverity-text%',
'%timegenerated%', '%timereported%',
'%msg:R,ERE,1,BLANK,0:\[([0-9]+\.[0-9]+)\]--end%', '%msg:F,32:2%',
'%msg:R,ERE,1,BLANK,0:IN=([0-9a-z]+)--end%',
'%msg:R,ERE,1,BLANK,0:OUT=([0-9a-z]+)--end%',
'%msg:R,ERE,1,BLANK,0:MAC=([0-9a-f\:]+)--end%',
'%msg:R,ERE,1,BLANK,0:SRC=([0-9\.]+)--end%',
'%msg:R,ERE,1,BLANK,0:DST=([0-9\.]+)--end%',
'%msg:R,ERE,1,BLANK,0:LEN=([0-9]+)--end%',
'%msg:R,ERE,1,BLANK,0:TOS=(0x[0-9a-f]+)--end%',
'%msg:R,ERE,1,BLANK,0:PREC=(0x[0-9a-f]+)--end%',
'%msg:R,ERE,1,BLANK,0:TTL=([0-9]+)--end%',
'%msg:R,ERE,1,BLANK,0:PROTO=([0-9a-zA-Z]+)--end%',
'%msg:R,ERE,1,BLANK,0:SPT=([0-9]+)--end%',
'%msg:R,ERE,1,BLANK,0:DPT=([0-9]+)--end%', '%msg:R,ERE,1,BLANK,0: (S)YN
--end%', '%msg:R,ERE,1,BLANK,0: (A)CK --end%', '%msg:R,ERE,1,BLANK,0:
(R)ST --end%' );\r\n", SQL
if $msg contains 'IN=' and $msg contains 'OUT=' and $msg contains 'SRC='
and $msg contains 'DST=' and $msg contains 'PROTO=' then
:ommysql:127.0.0.1,rsyslogdb,root,123456;ipt_msg_parse_with_orig
------------------------------------------------------------------------------------------------------------------------------
> I have just checked, but I do not see this issue. Can you please post your
> complete configuration file. Also, please let me know which version of
> rsyslog you are using. And if it is not the latest of the branch you are
> using, please upgrade to that.
>
> Thanks,
> Rainer
>
>
>> -----Original Message-----
>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
>> Sent: Wednesday, May 13, 2009 1:54 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] about "Property Replacer"!!
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>>> bounces at lists.adiscon.com] On Behalf Of liangjun
>>> Sent: Wednesday, May 13, 2009 1:09 PM
>>> To: rsyslog-users
>>> Subject: Re: [rsyslog] about "Property Replacer"!!
>>>
>>> thank you reply!
>>> yes., you are right.
>>> but %msg:F,32:2% is "DROP_url_www.sina.co" ,is not
>>> "DROP_url_www.sina.com.cn:IN=eth1" . why?
>>>
>> Oh, I had overlooked this. Sounds like a bug, let me check...
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
More information about the rsyslog
mailing list