[rsyslog] liblognorm rulebase questions..
rgerhards at hq.adiscon.com
Thu Dec 16 08:35:27 CET 2010
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Champ Clark III [Softwink]
> Sent: Wednesday, December 15, 2010 8:24 PM
> To: rsyslog-users
> Subject: [rsyslog] liblognorm rulebase questions..
> This might be a bit pre-mature, but I thought I'd bring up.
It probably is. I had hoped to have a final extensible format available now,
but then we had some issues finding consensus on how tags look in CEE, and
this held me. And now some expected and unexpected big bunch of work got into
my way :(
> First off, I have liblognorm working in Sagan with a kludgy
> strtok_r() hack until I understand what I'm doing wrong with
> ee_getFieldValueAsStr(), etc. The way I'm doing it right now, in
> my little test tree of code, is to have a line like thus in the
> Sagan config file:
> normalize: cisco, /usr/local/etc/cisco.rulesbase
> normalize: openssh, /usr/local/etc/openssh.rulebase
> In my (Sagan) rule sets, at load time, if the rule has a
> 'normalize: cisco', then I'll call ln_loadSamples(). If we never see
> a 'normalize: openssh' option, then there's not much of a reason to
> load that liblognorm rule base.
> My first question is, has there been any more thought on
> the rulebase design? My thinking is that it'll be something along the
> lines described above. That is, a separate liblognorm rule base
> per "what your looking for"? Is this a bad assumption?
In my original thoughts, a *single* rulebase for everything makes most sense.
Because this has the quickest parsing time. However, there are some practical
limits on that, and it sounds natural to have separate sets for devices you
can clearly differentiate. So I'd say you are not on a wrong route.
> My last question, is there any way to "bypass" the "prefix="
> option in a liblognorm rule? In my particular case, I've already
> separate much of the inbound syslog message. Really, what I want
> is the "rule=" part of the liblognorm rule. If not, then that really
> leaves me a couple of options:
"prefix" is optional. If you don't need it, just don't specify it. I
introduced prefix to support using the same rule base with different, well,
prefixes ;) For example, in rsyslog I have the raw message and the parsed MSG
part of it. If you run the normalizer on the raw message, you need a common
prefix to cover, tag, date, ... If you parse the MSG part that prefix is not
present. So the core idea is to write the rules for the common format and add
different prefixes as required (or not provide a prefix at all).
> 1. "My" rules, with a blank "prefix=" (don't like this, but works).
> 2. To "rebuild" the inbound message to a RFC5424 compatible type so
> liblognorm can deal with it as normal (not bad, just an "extra"
> Any thoughts?
> Champ Clark III | Softwink, Inc | 800-538-9357 x 101
> GPG Key ID: 58A2A58F
> Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
> If it wasn't for C, we'd be using BASI, PASAL and OBOL.
More information about the rsyslog