[Lognorm] log classification with liblognorm
Castillo, Jose Contractor
Jose.Castillo at ssa.gov
Wed Jun 26 22:41:53 CEST 2013
David,
I modified the template:
template(name="testFormat" type="string" string="%$!all-json%,tag='%$!mytag%'")
I also modified the rule to include mytag as a tag:
rule=mytag:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside
And now I getting :
{ "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" },tag=''
No tags are being written to the output file.
What am I doing wrong?
Thanks,
Jose
-----Original Message-----
From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of David Lang
Sent: Wednesday, June 26, 2013 3:11 PM
To: lognorm
Subject: Re: [Lognorm] log classification with liblognorm
the tags are accessed in rsyslog by $!<tag name>
so where you would have done %hostname% you could do %$!mytag%
David Lang
On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:
> Date: Wed, 26 Jun 2013 16:00:06 -0400
> From: "Castillo, Jose Contractor" <Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov>>
> Reply-To: lognorm <lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>>
> To: "lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>" <lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>>
> Subject: [Lognorm] log classification with liblognorm
>
> Hello all,
>
> I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository:
> rsyslog-mysql-7.4.1-1.el6.x86_64
> rsyslog-mmjsonparse-7.4.1-1.el6.x86_64
> rsyslog-7.4.1-1.el6.x86_64
> rsyslog-mmnormalize-7.4.1-1.el6.x86_64
> rsyslog-udpspoof-7.4.1-1.el6.x86_64
> rsyslog-elasticsearch-7.4.1-1.el6.x86_64
>
> I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags.
> http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht
> ml
>
> So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s).
> Is this option supported within rsyslog.conf? Any example how to do it?
>
> Below my testing files:
>
> =================================================================
> rsyslog.conf file:
> module (load="imudp")
> module (load="mmnormalize")
> module (load="mmjsonparse")
>
> input(type="imudp" address="192.168.1.1" port="514" ruleset="test")
>
> template(name="testFormat" type="string" string="%$!all-json%\n")
>
> ruleset(name="test") {
> action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb")
> action(type="omfile" file="/data/syslog/test-syslog.log"
> template="testFormat") }
>
> rulebase.rb file:
> rule=test:%date:word% %host:ipv4% :
> %%ASA-%number0:number%-%number1:number%: Denied ICMP
> type=%number2:number%, code=%number3:number% from %origin:ipv4% on
> interface outside
>
> test-syslog.log file:
> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1":
> "313001", "number0": "3", "host": "0.0.0.0", "date":
> "2013-06-26T10:47:42+01:00" }
>
> Message:
> "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside"
> ======================================================================
>
>
> Thanks in advance for any help,
>
> Jose Castillo
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130626/f6faff47/attachment.htm>
More information about the Lognorm
mailing list