[rsyslog] liblognorm rulebase questions..
Champ Clark III [Softwink]
champ at softwink.com
Wed Dec 15 20:23:42 CET 2010
This might be a bit pre-mature, but I thought I'd bring up.
First off, I have liblognorm working in Sagan with a kludgy
strtok_r() hack until I understand what I'm doing wrong with
ee_getFieldValueAsStr(), etc. The way I'm doing it right now, in
my little test tree of code, is to have a line like thus in the
Sagan config file:
normalize: cisco, /usr/local/etc/cisco.rulesbase
normalize: openssh, /usr/local/etc/openssh.rulebase
In my (Sagan) rule sets, at load time, if the rule has a
'normalize: cisco', then I'll call ln_loadSamples(). If we never see
a 'normalize: openssh' option, then there's not much of a reason to
load that liblognorm rule base.
My first question is, has there been any more thought on
the rulebase design? My thinking is that it'll be something along the
lines described above. That is, a separate liblognorm rule base
per "what your looking for"? Is this a bad assumption?
My last question, is there any way to "bypass" the "prefix="
option in a liblognorm rule? In my particular case, I've already
separate much of the inbound syslog message. Really, what I want
is the "rule=" part of the liblognorm rule. If not, then that really
leaves me a couple of options:
1. "My" rules, with a blank "prefix=" (don't like this, but works).
2. To "rebuild" the inbound message to a RFC5424 compatible type so
liblognorm can deal with it as normal (not bad, just an "extra"
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the rsyslog