[Lognorm] log classification with liblognorm

Castillo, Jose Contractor Jose.Castillo at ssa.gov
Wed Jun 26 22:00:06 CEST 2013 

Hello all,

I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository:
rsyslog-mysql-7.4.1-1.el6.x86_64
rsyslog-mmjsonparse-7.4.1-1.el6.x86_64
rsyslog-7.4.1-1.el6.x86_64
rsyslog-mmnormalize-7.4.1-1.el6.x86_64
rsyslog-udpspoof-7.4.1-1.el6.x86_64
rsyslog-elasticsearch-7.4.1-1.el6.x86_64

I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags.
http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.html

So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s).
Is this option supported within rsyslog.conf? Any example how to do it?

Below my testing files:

=================================================================
rsyslog.conf file:
module (load="imudp")
module (load="mmnormalize")
module (load="mmjsonparse")

input(type="imudp" address="192.168.1.1" port="514" ruleset="test")

template(name="testFormat" type="string" string="%$!all-json%\n")

ruleset(name="test") {
        action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb")
        action(type="omfile" file="/data/syslog/test-syslog.log" template="testFormat")
}

rulebase.rb file:
rule=test:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside

test-syslog.log file:
{ "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" }

Message:
"2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside"
======================================================================


Thanks in advance for any help,

Jose Castillo



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130626/33ef1fda/attachment-0001.htm>

More information about the Lognorm mailing list