[Lognorm] log classification with liblognorm
Castillo, Jose Contractor
Jose.Castillo at ssa.gov
Mon Jul 15 16:07:21 CEST 2013
Rainer,
I was able to get an extra field in the output file using "annotate" in the rule file, but when I use more than one tag in one rule rsyslog process die (Program terminated with signal 11, Segmentation fault).
I sent detailed information about this issue to rsyslog list (thread: "log classification with lognorm issue")
Thanks in advance for any help.
Jose
From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Monday, July 15, 2013 3:33 AM
To: lognorm
Subject: Re: [Lognorm] log classification with liblognorm
David made me aware of this thread. Sorry for not responding further, I've been very busy and probably overlooked it. More inline...
On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor <Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov>> wrote:
David,
I modified the template:
template(name="testFormat" type="string" string="%$!all-json%,tag='%$!mytag%'")
I also modified the rule to include mytag as a tag:
rule=mytag:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside
And now I getting :
{ "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" },tag=''
No tags are being written to the output file.
What am I doing wrong?
I need to check the code, but I think you are doing everything right. IIRC, tags were meant as classification method for rsyslog's engine (if-stmts). I think outputting them was not at the table when this was written. I am 90% sure, and will try to verify the rest within this week.
Rainer
Thanks,
Jose
-----Original Message-----
From: lognorm-bounces at lists.adiscon.com<mailto:lognorm-bounces at lists.adiscon.com> [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of David Lang
Sent: Wednesday, June 26, 2013 3:11 PM
To: lognorm
Subject: Re: [Lognorm] log classification with liblognorm
the tags are accessed in rsyslog by $!<tag name>
so where you would have done %hostname% you could do %$!mytag%
David Lang
On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:
> Date: Wed, 26 Jun 2013 16:00:06 -0400
> From: "Castillo, Jose Contractor" <Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov>>
> Reply-To: lognorm <lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>>
> To: "lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>" <lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>>
> Subject: [Lognorm] log classification with liblognorm
>
> Hello all,
>
> I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository:
> rsyslog-mysql-7.4.1-1.el6.x86_64
> rsyslog-mmjsonparse-7.4.1-1.el6.x86_64
> rsyslog-7.4.1-1.el6.x86_64
> rsyslog-mmnormalize-7.4.1-1.el6.x86_64
> rsyslog-udpspoof-7.4.1-1.el6.x86_64
> rsyslog-elasticsearch-7.4.1-1.el6.x86_64
>
> I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags.
> http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht
> ml
>
> So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s).
> Is this option supported within rsyslog.conf? Any example how to do it?
>
> Below my testing files:
>
> =================================================================
> rsyslog.conf file:
> module (load="imudp")
> module (load="mmnormalize")
> module (load="mmjsonparse")
>
> input(type="imudp" address="192.168.1.1" port="514" ruleset="test")
>
> template(name="testFormat" type="string" string="%$!all-json%\n")
>
> ruleset(name="test") {
> action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb")
> action(type="omfile" file="/data/syslog/test-syslog.log"
> template="testFormat") }
>
> rulebase.rb file:
> rule=test:%date:word% %host:ipv4% :
> %%ASA-%number0:number%-%number1:number%: Denied ICMP
> type=%number2:number%, code=%number3:number% from %origin:ipv4% on
> interface outside
>
> test-syslog.log file:
> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1":
> "313001", "number0": "3", "host": "0.0.0.0", "date":
> "2013-06-26T10:47:42+01:00" }
>
> Message:
> "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside"
> ======================================================================
>
>
> Thanks in advance for any help,
>
> Jose Castillo
>
>
>
>
_______________________________________________
Lognorm mailing list
Lognorm at lists.adiscon.com<mailto:Lognorm at lists.adiscon.com>
http://lists.adiscon.net/mailman/listinfo/lognorm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130715/31eaff77/attachment-0001.htm>
More information about the Lognorm
mailing list