[Lognorm] log classification with liblognorm

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Jul 15 09:32:45 CEST 2013 

David made me aware of this thread. Sorry for not responding further, I've
been very busy and probably overlooked it. More inline...

On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor <
Jose.Castillo at ssa.gov> wrote:

>  David,
>
> I modified the template:
> template(name="testFormat" type="string" string="%$!all-json%,tag='%$!*
> mytag*%'")
>
> I also modified the rule to include mytag as a tag:
> rule=*mytag*:%date:word% %host:ipv4% :
> %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%,
> code=%number3:number% from %origin:ipv4% on interface outside
>
> And now I getting :
> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1":
> "313001", "number0": "3", "host": "0.0.0.0", "date":
> "2013-06-26T10:47:42+01:00" },tag=''
>
> No tags are being written to the output file.
>
> What am I doing wrong?
>

I need to check the code, but I think you are doing everything right. IIRC,
tags were meant as classification method for rsyslog's engine (if-stmts). I
think outputting them was not at the table when this was written. I am 90%
sure, and will try to verify the rest within this week.
Rainer

>
> Thanks,
>
> Jose
>
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [
> mailto:lognorm-bounces at lists.adiscon.com<lognorm-bounces at lists.adiscon.com>]
> On Behalf Of David Lang
> Sent: Wednesday, June 26, 2013 3:11 PM
> To: lognorm
> Subject: Re: [Lognorm] log classification with liblognorm
>
> the tags are accessed in rsyslog by $!<tag name>
>
> so where you would have done %hostname% you could do %$!mytag%
>
> David Lang
>
> On Wed, 26 Jun 2013, Castillo, Jose   Contractor wrote:
>
> > Date: Wed, 26 Jun 2013 16:00:06 -0400
> > From: "Castillo, Jose   Contractor" <Jose.Castillo at ssa.gov>
> > Reply-To: lognorm <lognorm at lists.adiscon.com>
> > To: "lognorm at lists.adiscon.com" <lognorm at lists.adiscon.com>
> > Subject: [Lognorm] log classification with liblognorm
> >
> > Hello all,
> >
> > I started to play using rsyslog/liblognorm a week ago, I'm testing them
> on a CentOS 6.4 virtual machine, and next packages have been installed from
> Adiscon repository:
> > rsyslog-mysql-7.4.1-1.el6.x86_64
> > rsyslog-mmjsonparse-7.4.1-1.el6.x86_64
> > rsyslog-7.4.1-1.el6.x86_64
> > rsyslog-mmnormalize-7.4.1-1.el6.x86_64
> > rsyslog-udpspoof-7.4.1-1.el6.x86_64
> > rsyslog-elasticsearch-7.4.1-1.el6.x86_64
> >
> > I was reading next link, and now I'm trying to select subsets of
> messages based on liblognorm tags.
> > http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht
> > ml
> >
> > So far, I was able to parse a message using mmnormalize module, and now
> I want to create outputs based on the liblognorm tag(s).
> > Is this option supported within rsyslog.conf? Any example how to do it?
> >
> > Below my testing files:
> >
> > =================================================================
> > rsyslog.conf file:
> > module (load="imudp")
> > module (load="mmnormalize")
> > module (load="mmjsonparse")
> >
> > input(type="imudp" address="192.168.1.1" port="514" ruleset="test")
> >
> > template(name="testFormat" type="string" string="%$!all-json%\n")
> >
> > ruleset(name="test") {
> >        action(type="mmnormalize" userawmsg="on"
> rulebase="/data/syslog/rulebase.rb")
> >        action(type="omfile" file="/data/syslog/test-syslog.log"
> > template="testFormat") }
> >
> > rulebase.rb file:
> > rule=test:%date:word% %host:ipv4% :
> > %%ASA-%number0:number%-%number1:number%: Denied ICMP
> > type=%number2:number%, code=%number3:number% from %origin:ipv4% on
> > interface outside
> >
> > test-syslog.log file:
> > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1":
> > "313001", "number0": "3", "host": "0.0.0.0", "date":
> > "2013-06-26T10:47:42+01:00" }
> >
> > Message:
> > "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
> code=0 from 77.2.2.2 on interface outside"
> > ======================================================================
> >
> >
> > Thanks in advance for any help,
> >
> > Jose Castillo
> >
> >
> >
> >
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/139dcdde/attachment-0001.htm>

More information about the Lognorm mailing list