[Lognorm] log classification with liblognorm

David Lang david at lang.hm
Wed Jun 26 21:10:47 CEST 2013 

the tags are accessed in rsyslog by $!<tag name>

so where you would have done %hostname% you could do %$!mytag%

David Lang

On Wed, 26 Jun 2013, Castillo, Jose   Contractor wrote:

> Date: Wed, 26 Jun 2013 16:00:06 -0400
> From: "Castillo, Jose   Contractor" <Jose.Castillo at ssa.gov>
> Reply-To: lognorm <lognorm at lists.adiscon.com>
> To: "lognorm at lists.adiscon.com" <lognorm at lists.adiscon.com>
> Subject: [Lognorm] log classification with liblognorm
> 
> Hello all,
>
> I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository:
> rsyslog-mysql-7.4.1-1.el6.x86_64
> rsyslog-mmjsonparse-7.4.1-1.el6.x86_64
> rsyslog-7.4.1-1.el6.x86_64
> rsyslog-mmnormalize-7.4.1-1.el6.x86_64
> rsyslog-udpspoof-7.4.1-1.el6.x86_64
> rsyslog-elasticsearch-7.4.1-1.el6.x86_64
>
> I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags.
> http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.html
>
> So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s).
> Is this option supported within rsyslog.conf? Any example how to do it?
>
> Below my testing files:
>
> =================================================================
> rsyslog.conf file:
> module (load="imudp")
> module (load="mmnormalize")
> module (load="mmjsonparse")
>
> input(type="imudp" address="192.168.1.1" port="514" ruleset="test")
>
> template(name="testFormat" type="string" string="%$!all-json%\n")
>
> ruleset(name="test") {
>        action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb")
>        action(type="omfile" file="/data/syslog/test-syslog.log" template="testFormat")
> }
>
> rulebase.rb file:
> rule=test:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside
>
> test-syslog.log file:
> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" }
>
> Message:
> "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside"
> ======================================================================
>
>
> Thanks in advance for any help,
>
> Jose Castillo
>
>
>
>
-------------- next part --------------
_______________________________________________
Lognorm mailing list
Lognorm at lists.adiscon.com
http://lists.adiscon.net/mailman/listinfo/lognorm

More information about the Lognorm mailing list