From rgerhards at hq.adiscon.com Tue Sep 10 08:35:37 2013 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 10 Sep 2013 08:35:37 +0200 Subject: [Lognorm] log classification with liblognorm In-Reply-To: <701C784DE99B0C4C9FDA9EDE66E23E661E4F593C1B@HQ-MB-07.ba.ad.ssa.gov> References: <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD9300@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD930B@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4F593C1B@HQ-MB-07.ba.ad.ssa.gov> Message-ID: On Mon, Jul 15, 2013 at 4:07 PM, Castillo, Jose Contractor < Jose.Castillo at ssa.gov> wrote: > Rainer,**** > > ** ** > > I was able to get an extra field in the output file using ?annotate? in > the rule file, but when I use more than one tag in one rule rsyslog process > die (Program terminated with signal 11, Segmentation fault).**** > > ** ** > > I sent detailed information about this issue to rsyslog list (thread: > ?log classification with lognorm issue?)**** > > ** > sorry this got thrashed due to my vacation and David just reminded me again ;) Are you still interested in solving this? Then we would probably need you to a) move to 7.4.4 b) provide a debug log Thanks, Rainer > ** > > Thanks in advance for any help.**** > > ** ** > > Jose**** > > ** ** > > *From:* lognorm-bounces at lists.adiscon.com [mailto: > lognorm-bounces at lists.adiscon.com] *On Behalf Of *Rainer Gerhards > *Sent:* Monday, July 15, 2013 3:33 AM > > *To:* lognorm > *Subject:* Re: [Lognorm] log classification with liblognorm**** > > ** ** > > David made me aware of this thread. Sorry for not responding further, I've > been very busy and probably overlooked it. More inline...**** > > ** ** > > On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor < > Jose.Castillo at ssa.gov> wrote:**** > > David,**** > > **** > > I modified the template:**** > > template(name="testFormat" type="string" string="%$!all-json%,tag='%$!* > mytag*%'")**** > > **** > > I also modified the rule to include mytag as a tag:**** > > rule=*mytag*:%date:word% %host:ipv4% : > %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, > code=%number3:number% from %origin:ipv4% on interface outside**** > > **** > > And now I getting :**** > > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": > "313001", "number0": "3", "host": "0.0.0.0", "date": > "2013-06-26T10:47:42+01:00" },tag=''**** > > **** > > No tags are being written to the output file.**** > > **** > > What am I doing wrong? **** > > ** ** > > I need to check the code, but I think you are doing everything right. > IIRC, tags were meant as classification method for rsyslog's engine > (if-stmts). I think outputting them was not at the table when this was > written. I am 90% sure, and will try to verify the rest within this week.* > *** > > Rainer **** > > **** > > Thanks,**** > > **** > > Jose**** > > **** > > -----Original Message----- > From: lognorm-bounces at lists.adiscon.com [ > mailto:lognorm-bounces at lists.adiscon.com] > On Behalf Of David Lang > Sent: Wednesday, June 26, 2013 3:11 PM > To: lognorm > Subject: Re: [Lognorm] log classification with liblognorm**** > > **** > > the tags are accessed in rsyslog by $!**** > > **** > > so where you would have done %hostname% you could do %$!mytag%**** > > **** > > David Lang**** > > **** > > On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:**** > > **** > > > Date: Wed, 26 Jun 2013 16:00:06 -0400**** > > > From: "Castillo, Jose Contractor" **** > > > Reply-To: lognorm **** > > > To: "lognorm at lists.adiscon.com" **** > > > Subject: [Lognorm] log classification with liblognorm**** > > > **** > > > Hello all,**** > > >** ** > > > I started to play using rsyslog/liblognorm a week ago, I'm testing them > on a CentOS 6.4 virtual machine, and next packages have been installed from > Adiscon repository:**** > > > rsyslog-mysql-7.4.1-1.el6.x86_64**** > > > rsyslog-mmjsonparse-7.4.1-1.el6.x86_64**** > > > rsyslog-7.4.1-1.el6.x86_64**** > > > rsyslog-mmnormalize-7.4.1-1.el6.x86_64**** > > > rsyslog-udpspoof-7.4.1-1.el6.x86_64**** > > > rsyslog-elasticsearch-7.4.1-1.el6.x86_64**** > > >** ** > > > I was reading next link, and now I'm trying to select subsets of > messages based on liblognorm tags.**** > > > http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht** > ** > > > ml**** > > >** ** > > > So far, I was able to parse a message using mmnormalize module, and now > I want to create outputs based on the liblognorm tag(s).**** > > > Is this option supported within rsyslog.conf? Any example how to do it?* > *** > > >** ** > > > Below my testing files:**** > > >** ** > > > =================================================================**** > > > rsyslog.conf file:**** > > > module (load="imudp")**** > > > module (load="mmnormalize")**** > > > module (load="mmjsonparse")**** > > >** ** > > > input(type="imudp" address="192.168.1.1" port="514" ruleset="test")**** > > >** ** > > > template(name="testFormat" type="string" string="%$!all-json%\n")**** > > >** ** > > > ruleset(name="test") {**** > > > action(type="mmnormalize" userawmsg="on" > rulebase="/data/syslog/rulebase.rb")**** > > > action(type="omfile" file="/data/syslog/test-syslog.log" **** > > > template="testFormat") }**** > > >** ** > > > rulebase.rb file:**** > > > rule=test:%date:word% %host:ipv4% : **** > > > %%ASA-%number0:number%-%number1:number%: Denied ICMP **** > > > type=%number2:number%, code=%number3:number% from %origin:ipv4% on **** > > > interface outside**** > > >** ** > > > test-syslog.log file:**** > > > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": **** > > > "313001", "number0": "3", "host": "0.0.0.0", "date": **** > > > "2013-06-26T10:47:42+01:00" }**** > > >** ** > > > Message:**** > > > "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 77.2.2.2 on interface outside"**** > > > ======================================================================** > ** > > >** ** > > >** ** > > > Thanks in advance for any help,**** > > >** ** > > > Jose Castillo**** > > >** ** > > >** ** > > >** ** > > >** ** > > **** > > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm**** > > ** ** > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jose.Castillo at ssa.gov Tue Sep 10 15:04:42 2013 From: Jose.Castillo at ssa.gov (Castillo, Jose Contractor) Date: Tue, 10 Sep 2013 09:04:42 -0400 Subject: [Lognorm] log classification with liblognorm In-Reply-To: References: <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD9300@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD930B@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4F593C1B@HQ-MB-07.ba.ad.ssa.gov> Message-ID: <701C784DE99B0C4C9FDA9EDE66E23E661E6A1EC0B5@HQ-MB-07.ba.ad.ssa.gov> I moved to version 7.4.4 and now it's working fine. Thanks, Jose From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Tuesday, September 10, 2013 2:36 AM To: lognorm Subject: Re: [Lognorm] log classification with liblognorm On Mon, Jul 15, 2013 at 4:07 PM, Castillo, Jose Contractor > wrote: Rainer, I was able to get an extra field in the output file using "annotate" in the rule file, but when I use more than one tag in one rule rsyslog process die (Program terminated with signal 11, Segmentation fault). I sent detailed information about this issue to rsyslog list (thread: "log classification with lognorm issue") sorry this got thrashed due to my vacation and David just reminded me again ;) Are you still interested in solving this? Then we would probably need you to a) move to 7.4.4 b) provide a debug log Thanks, Rainer Thanks in advance for any help. Jose From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Monday, July 15, 2013 3:33 AM To: lognorm Subject: Re: [Lognorm] log classification with liblognorm David made me aware of this thread. Sorry for not responding further, I've been very busy and probably overlooked it. More inline... On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor > wrote: David, I modified the template: template(name="testFormat" type="string" string="%$!all-json%,tag='%$!mytag%'") I also modified the rule to include mytag as a tag: rule=mytag:%date:word% %host:ipv4% : %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, code=%number3:number% from %origin:ipv4% on interface outside And now I getting : { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": "313001", "number0": "3", "host": "0.0.0.0", "date": "2013-06-26T10:47:42+01:00" },tag='' No tags are being written to the output file. What am I doing wrong? I need to check the code, but I think you are doing everything right. IIRC, tags were meant as classification method for rsyslog's engine (if-stmts). I think outputting them was not at the table when this was written. I am 90% sure, and will try to verify the rest within this week. Rainer Thanks, Jose -----Original Message----- From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of David Lang Sent: Wednesday, June 26, 2013 3:11 PM To: lognorm Subject: Re: [Lognorm] log classification with liblognorm the tags are accessed in rsyslog by $! so where you would have done %hostname% you could do %$!mytag% David Lang On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote: > Date: Wed, 26 Jun 2013 16:00:06 -0400 > From: "Castillo, Jose Contractor" > > Reply-To: lognorm > > To: "lognorm at lists.adiscon.com" > > Subject: [Lognorm] log classification with liblognorm > > Hello all, > > I started to play using rsyslog/liblognorm a week ago, I'm testing them on a CentOS 6.4 virtual machine, and next packages have been installed from Adiscon repository: > rsyslog-mysql-7.4.1-1.el6.x86_64 > rsyslog-mmjsonparse-7.4.1-1.el6.x86_64 > rsyslog-7.4.1-1.el6.x86_64 > rsyslog-mmnormalize-7.4.1-1.el6.x86_64 > rsyslog-udpspoof-7.4.1-1.el6.x86_64 > rsyslog-elasticsearch-7.4.1-1.el6.x86_64 > > I was reading next link, and now I'm trying to select subsets of messages based on liblognorm tags. > http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht > ml > > So far, I was able to parse a message using mmnormalize module, and now I want to create outputs based on the liblognorm tag(s). > Is this option supported within rsyslog.conf? Any example how to do it? > > Below my testing files: > > ================================================================= > rsyslog.conf file: > module (load="imudp") > module (load="mmnormalize") > module (load="mmjsonparse") > > input(type="imudp" address="192.168.1.1" port="514" ruleset="test") > > template(name="testFormat" type="string" string="%$!all-json%\n") > > ruleset(name="test") { > action(type="mmnormalize" userawmsg="on" rulebase="/data/syslog/rulebase.rb") > action(type="omfile" file="/data/syslog/test-syslog.log" > template="testFormat") } > > rulebase.rb file: > rule=test:%date:word% %host:ipv4% : > %%ASA-%number0:number%-%number1:number%: Denied ICMP > type=%number2:number%, code=%number3:number% from %origin:ipv4% on > interface outside > > test-syslog.log file: > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": > "313001", "number0": "3", "host": "0.0.0.0", "date": > "2013-06-26T10:47:42+01:00" } > > Message: > "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, code=0 from 77.2.2.2 on interface outside" > ====================================================================== > > > Thanks in advance for any help, > > Jose Castillo > > > > _______________________________________________ Lognorm mailing list Lognorm at lists.adiscon.com http://lists.adiscon.net/mailman/listinfo/lognorm _______________________________________________ Lognorm mailing list Lognorm at lists.adiscon.com http://lists.adiscon.net/mailman/listinfo/lognorm -------------- next part -------------- An HTML attachment was scrubbed... URL: From rgerhards at hq.adiscon.com Tue Sep 10 15:07:02 2013 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 10 Sep 2013 15:07:02 +0200 Subject: [Lognorm] log classification with liblognorm In-Reply-To: <701C784DE99B0C4C9FDA9EDE66E23E661E6A1EC0B5@HQ-MB-07.ba.ad.ssa.gov> References: <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD9300@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4CAD930B@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E4F593C1B@HQ-MB-07.ba.ad.ssa.gov> <701C784DE99B0C4C9FDA9EDE66E23E661E6A1EC0B5@HQ-MB-07.ba.ad.ssa.gov> Message-ID: On Tue, Sep 10, 2013 at 3:04 PM, Castillo, Jose Contractor < Jose.Castillo at ssa.gov> wrote: > I moved to version 7.4.4 and now it?s working fine.**** > > ** > excellent, thx (and sorry for the delay ;)) Rainer > ** > > Thanks,**** > > ** ** > > Jose**** > > ** ** > > *From:* lognorm-bounces at lists.adiscon.com [mailto: > lognorm-bounces at lists.adiscon.com] *On Behalf Of *Rainer Gerhards > *Sent:* Tuesday, September 10, 2013 2:36 AM > > *To:* lognorm > *Subject:* Re: [Lognorm] log classification with liblognorm**** > > ** ** > > ** ** > > On Mon, Jul 15, 2013 at 4:07 PM, Castillo, Jose Contractor < > Jose.Castillo at ssa.gov> wrote:**** > > Rainer,**** > > **** > > I was able to get an extra field in the output file using ?annotate? in > the rule file, but when I use more than one tag in one rule rsyslog process > die (Program terminated with signal 11, Segmentation fault).**** > > **** > > I sent detailed information about this issue to rsyslog list (thread: > ?log classification with lognorm issue?)**** > > ** ** > > sorry this got thrashed due to my vacation and David just reminded me > again ;)**** > > Are you still interested in solving this? Then we would probably need you > to **** > > a) move to 7.4.4 **** > > b) provide a debug log**** > > Thanks, > Rainer **** > > **** > > Thanks in advance for any help.**** > > **** > > Jose**** > > **** > > *From:* lognorm-bounces at lists.adiscon.com [mailto: > lognorm-bounces at lists.adiscon.com] *On Behalf Of *Rainer Gerhards > *Sent:* Monday, July 15, 2013 3:33 AM**** > > > *To:* lognorm > *Subject:* Re: [Lognorm] log classification with liblognorm**** > > **** > > David made me aware of this thread. Sorry for not responding further, I've > been very busy and probably overlooked it. More inline...**** > > **** > > On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor < > Jose.Castillo at ssa.gov> wrote:**** > > David,**** > > **** > > I modified the template:**** > > template(name="testFormat" type="string" string="%$!all-json%,tag='%$!* > mytag*%'")**** > > **** > > I also modified the rule to include mytag as a tag:**** > > rule=*mytag*:%date:word% %host:ipv4% : > %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%, > code=%number3:number% from %origin:ipv4% on interface outside**** > > **** > > And now I getting :**** > > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": > "313001", "number0": "3", "host": "0.0.0.0", "date": > "2013-06-26T10:47:42+01:00" },tag=''**** > > **** > > No tags are being written to the output file.**** > > **** > > What am I doing wrong? **** > > **** > > I need to check the code, but I think you are doing everything right. > IIRC, tags were meant as classification method for rsyslog's engine > (if-stmts). I think outputting them was not at the table when this was > written. I am 90% sure, and will try to verify the rest within this week.* > *** > > Rainer **** > > **** > > Thanks,**** > > **** > > Jose**** > > **** > > -----Original Message----- > From: lognorm-bounces at lists.adiscon.com [ > mailto:lognorm-bounces at lists.adiscon.com] > On Behalf Of David Lang > Sent: Wednesday, June 26, 2013 3:11 PM > To: lognorm > Subject: Re: [Lognorm] log classification with liblognorm**** > > **** > > the tags are accessed in rsyslog by $!**** > > **** > > so where you would have done %hostname% you could do %$!mytag%**** > > **** > > David Lang**** > > **** > > On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:**** > > **** > > > Date: Wed, 26 Jun 2013 16:00:06 -0400**** > > > From: "Castillo, Jose Contractor" **** > > > Reply-To: lognorm **** > > > To: "lognorm at lists.adiscon.com" **** > > > Subject: [Lognorm] log classification with liblognorm**** > > > **** > > > Hello all,**** > > > **** > > > I started to play using rsyslog/liblognorm a week ago, I'm testing them > on a CentOS 6.4 virtual machine, and next packages have been installed from > Adiscon repository:**** > > > rsyslog-mysql-7.4.1-1.el6.x86_64**** > > > rsyslog-mmjsonparse-7.4.1-1.el6.x86_64**** > > > rsyslog-7.4.1-1.el6.x86_64**** > > > rsyslog-mmnormalize-7.4.1-1.el6.x86_64**** > > > rsyslog-udpspoof-7.4.1-1.el6.x86_64**** > > > rsyslog-elasticsearch-7.4.1-1.el6.x86_64**** > > > **** > > > I was reading next link, and now I'm trying to select subsets of > messages based on liblognorm tags.**** > > > http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht** > ** > > > ml**** > > > **** > > > So far, I was able to parse a message using mmnormalize module, and now > I want to create outputs based on the liblognorm tag(s).**** > > > Is this option supported within rsyslog.conf? Any example how to do it?* > *** > > > **** > > > Below my testing files:**** > > > **** > > > =================================================================**** > > > rsyslog.conf file:**** > > > module (load="imudp")**** > > > module (load="mmnormalize")**** > > > module (load="mmjsonparse")**** > > > **** > > > input(type="imudp" address="192.168.1.1" port="514" ruleset="test")**** > > > **** > > > template(name="testFormat" type="string" string="%$!all-json%\n")**** > > > **** > > > ruleset(name="test") {**** > > > action(type="mmnormalize" userawmsg="on" > rulebase="/data/syslog/rulebase.rb")**** > > > action(type="omfile" file="/data/syslog/test-syslog.log" **** > > > template="testFormat") }**** > > > **** > > > rulebase.rb file:**** > > > rule=test:%date:word% %host:ipv4% : **** > > > %%ASA-%number0:number%-%number1:number%: Denied ICMP **** > > > type=%number2:number%, code=%number3:number% from %origin:ipv4% on **** > > > interface outside**** > > > **** > > > test-syslog.log file:**** > > > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": **** > > > "313001", "number0": "3", "host": "0.0.0.0", "date": **** > > > "2013-06-26T10:47:42+01:00" }**** > > > **** > > > Message:**** > > > "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8, > code=0 from 77.2.2.2 on interface outside"**** > > > ======================================================================** > ** > > > **** > > > **** > > > Thanks in advance for any help,**** > > > **** > > > Jose Castillo**** > > > **** > > > **** > > > **** > > > **** > > **** > > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm**** > > **** > > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm**** > > ** ** > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jose.Castillo at ssa.gov Wed Sep 18 18:16:57 2013 From: Jose.Castillo at ssa.gov (Castillo, Jose Contractor) Date: Wed, 18 Sep 2013 12:16:57 -0400 Subject: [Lognorm] liblognorm rules Message-ID: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> Hello, I'm testing rsyslog/liblognorm trying to parse syslog messages from cisco devices, but in some cases liblognorm is not matching syslog messages with corresponding rules. Please see next information and let me know if something is wrong. =================================================================================================== # cat test.rulebase prefix=%date:date-rfc3164% rule=: %%SYS-5-CONFIG_I: Configured from console by console rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% (%cisco.ip:ipv4%) rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on vty%-:number% (%cisco.ip:ipv4%) rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console # lognormalizer -r test.rulebase Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console" unparsed-data=""] Sep 18 13:09:02: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.1) [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (192.168.1.2) [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console by user2 on console [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"] ========================================================================================================= The first message ("Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console") is not being parsed correctly. Output from lognormalizer in verbose mode: I'm working on a CentOS 6.4 virtual machine, and next packages have been installed: rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 rsyslog-debuginfo-7.4.4-2.el6.x86_64 rsyslog-mysql-7.4.4-2.el6.x86_64 rsyslog-elasticsearch-7.4.4-2.el6.x86_64 rsyslog-udpspoof-7.4.4-2.el6.x86_64 rsyslog-7.4.4-2.el6.x86_64 rsyslog-mmnormalize-7.4.4-2.el6.x86_64 Jose Castillo MicroTech ESS Contract Phone (410) 597-0194 OTSO/DNE/NMB/NMST Jose.Castillo at ssa.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: test.txt URL: From cclark at quadrantsec.com Wed Sep 18 21:06:13 2013 From: cclark at quadrantsec.com (cclark) Date: Wed, 18 Sep 2013 15:06:13 -0400 Subject: [Lognorm] liblognorm rules In-Reply-To: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> References: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> Message-ID: <88715ae17eaf0717fe4e548df0fa6b41@quadrantsec.com> I've seen this happen before with Cisco devices. Try this: In your rule, add a white space to the end. So instead of this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" Try this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console " Note the space at the end. On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote: > Hello, > > I'm testing rsyslog/liblognorm trying to parse syslog messages from > cisco devices, but in some cases liblognorm is not matching syslog > messages with corresponding rules. > > Please see next information and let me know if something is wrong. > > > =================================================================================================== > > # cat test.rulebase > prefix=%date:date-rfc3164% > rule=: %%SYS-5-CONFIG_I: Configured from console by console > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% > (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on vty%-:number% (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on console > > # lognormalizer -r test.rulebase > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console > [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured > from console by console" unparsed-data=""] > Sep 18 13:09:02: %SYS-5-CONFIG_I: Configured from console by vty0 > (192.168.1.1) > [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] > Sep 18 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on > vty0 (192.168.1.2) > [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 > 13:15:29:"] > Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console by user2 on > console > [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"] > > ========================================================================================================= > > > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured > from > console by console__"_) is not being parsed correctly. > > Output from lognormalizer in verbose mode: > > I'm working on a CentOS 6.4 virtual machine, and next packages have > been installed: > > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 > rsyslog-debuginfo-7.4.4-2.el6.x86_64 > rsyslog-mysql-7.4.4-2.el6.x86_64 > rsyslog-elasticsearch-7.4.4-2.el6.x86_64 > rsyslog-udpspoof-7.4.4-2.el6.x86_64 > rsyslog-7.4.4-2.el6.x86_64 > rsyslog-mmnormalize-7.4.4-2.el6.x86_64 > > Jose Castillo > MicroTech ESS Contract > Phone (410) 597-0194 > OTSO/DNE/NMB/NMST > Jose.Castillo at ssa.gov [1] > > > > Links: > ------ > [1] mailto:Jose.Castillo at ssa.gov -- -- - Champ Clark III Quadrant Information Security [http://quadrantsec.com] o: 904.296.9100 x101 o: 800.539.9357 x101 From Jose.Castillo at ssa.gov Wed Sep 18 21:42:16 2013 From: Jose.Castillo at ssa.gov (Castillo, Jose Contractor) Date: Wed, 18 Sep 2013 15:42:16 -0400 Subject: [Lognorm] liblognorm rules In-Reply-To: <88715ae17eaf0717fe4e548df0fa6b41@quadrantsec.com> References: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> <88715ae17eaf0717fe4e548df0fa6b41@quadrantsec.com> Message-ID: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C07A8@HQ-MB-07.ba.ad.ssa.gov> Thanks, but it didn't work adding a space to the end. It works if I use only the first rule: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" It doesn't work if the next two rules are defined: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" "rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console" I think it's trying to match the second rule because "console" matches %cisco.user:word% and then is trying to match next characters, but I don't know why is not matching the first rule. Any additional advice? Thanks, Jose -----Original Message----- From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of cclark Sent: Wednesday, September 18, 2013 3:06 PM To: lognorm at lists.adiscon.com Subject: Re: [Lognorm] liblognorm rules I've seen this happen before with Cisco devices. Try this: In your rule, add a white space to the end. So instead of this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" Try this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console " Note the space at the end. On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote: > Hello, > > I'm testing rsyslog/liblognorm trying to parse syslog messages from > cisco devices, but in some cases liblognorm is not matching syslog > messages with corresponding rules. > > Please see next information and let me know if something is wrong. > > > ====================================================================== > ============================= > > # cat test.rulebase > prefix=%date:date-rfc3164% > rule=: %%SYS-5-CONFIG_I: Configured from console by console > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% > (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on vty%-:number% (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on console > > # lognormalizer -r test.rulebase > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console > [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured > from console by console" unparsed-data=""] Sep 18 13:09:02: > %SYS-5-CONFIG_I: Configured from console by vty0 > (192.168.1.1) > [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 > 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on > vty0 (192.168.1.2) > [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 > 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console > by user2 on console > [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"] > > ====================================================================== > =================================== > > > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from > console by console__"_) is not being parsed correctly. > > Output from lognormalizer in verbose mode: > > I'm working on a CentOS 6.4 virtual machine, and next packages have > been installed: > > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 > rsyslog-debuginfo-7.4.4-2.el6.x86_64 > rsyslog-mysql-7.4.4-2.el6.x86_64 > rsyslog-elasticsearch-7.4.4-2.el6.x86_64 > rsyslog-udpspoof-7.4.4-2.el6.x86_64 > rsyslog-7.4.4-2.el6.x86_64 > rsyslog-mmnormalize-7.4.4-2.el6.x86_64 > > Jose Castillo > MicroTech ESS Contract > Phone (410) 597-0194 > OTSO/DNE/NMB/NMST > Jose.Castillo at ssa.gov [1] > > > > Links: > ------ > [1] mailto:Jose.Castillo at ssa.gov -- -- - Champ Clark III Quadrant Information Security [http://quadrantsec.com] o: 904.296.9100 x101 o: 800.539.9357 x101 _______________________________________________ Lognorm mailing list Lognorm at lists.adiscon.com http://lists.adiscon.net/mailman/listinfo/lognorm -------------- next part -------------- An HTML attachment was scrubbed... URL: From rgerhards at hq.adiscon.com Mon Sep 23 08:47:55 2013 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 23 Sep 2013 08:47:55 +0200 Subject: [Lognorm] liblognorm rules In-Reply-To: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C07A8@HQ-MB-07.ba.ad.ssa.gov> References: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> <88715ae17eaf0717fe4e548df0fa6b41@quadrantsec.com> <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C07A8@HQ-MB-07.ba.ad.ssa.gov> Message-ID: do you have the latest version of liblognorm installed? I think I remember there was such a problem I fixed a couple of weeks ago... Rainer On Wed, Sep 18, 2013 at 9:42 PM, Castillo, Jose Contractor < Jose.Castillo at ssa.gov> wrote: > Thanks, but it didn't work adding a space to the end.**** > > ** ** > > It works if I use only the first rule:**** > > "*rule=: %%SYS-5-CONFIG_I: Configured from console by console*"**** > > ** ** > > It doesn?t work if the next two rules are defined:**** > > "*rule=: %%SYS-5-CONFIG_I: Configured from console by console*"**** > > ?*rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on console*?**** > > ** ** > > ** ** > > I think it?s trying to match the second rule because ?*console*? matches % > *cisco.user:word% *and then is trying to match next characters, but I > don?t know why is not matching the first rule.**** > > ** ** > > Any additional advice?**** > > ** ** > > Thanks,**** > > Jose**** > > ** ** > > ** ** > > ** ** > > ** ** > > -----Original Message----- > From: lognorm-bounces at lists.adiscon.com [mailto: > lognorm-bounces at lists.adiscon.com] On Behalf Of cclark > Sent: Wednesday, September 18, 2013 3:06 PM > To: lognorm at lists.adiscon.com > Subject: Re: [Lognorm] liblognorm rules > > ** ** > > I've seen this happen before with Cisco devices. Try this: In your > rule, add a white space to the end.**** > > ** ** > > So instead of this:**** > > ** ** > > "rule=: %%SYS-5-CONFIG_I: Configured from console by console"**** > > ** ** > > Try this:**** > > ** ** > > "rule=: %%SYS-5-CONFIG_I: Configured from console by console "**** > > ** ** > > Note the space at the end.**** > > ** ** > > ** ** > > ** ** > > On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote:**** > > > Hello,**** > > >** ** > > > I'm testing rsyslog/liblognorm trying to parse syslog messages from **** > > > cisco devices, but in some cases liblognorm is not matching syslog **** > > > messages with corresponding rules.**** > > >** ** > > > Please see next information and let me know if something is wrong.**** > > >** ** > > > **** > > > ======================================================================** > ** > > > =============================**** > > >** ** > > > # cat test.rulebase**** > > > prefix=%date:date-rfc3164%**** > > > rule=: %%SYS-5-CONFIG_I: Configured from console by console**** > > > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number%**** > > > (%cisco.ip:ipv4%)**** > > > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% ** > ** > > > on vty%-:number% (%cisco.ip:ipv4%)**** > > > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% ** > ** > > > on console**** > > >** ** > > > # lognormalizer -r test.rulebase**** > > > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console**** > > > [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured **** > > > from console by console" unparsed-data=""] Sep 18 13:09:02: **** > > > %SYS-5-CONFIG_I: Configured from console by vty0**** > > > (192.168.1.1)**** > > > [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 **** > > > 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on**** > > > vty0 (192.168.1.2)**** > > > [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 **** > > > 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console ** > ** > > > by user2 on console**** > > > [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]**** > > > **** > > > ======================================================================** > ** > > > ===================================**** > > >** ** > > >** ** > > > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from * > *** > > > console by console__"_) is not being parsed correctly.**** > > >** ** > > > Output from lognormalizer in verbose mode:**** > > >** ** > > > I'm working on a CentOS 6.4 virtual machine, and next packages have **** > > > been installed:**** > > >** ** > > > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64**** > > > rsyslog-debuginfo-7.4.4-2.el6.x86_64**** > > > rsyslog-mysql-7.4.4-2.el6.x86_64**** > > > rsyslog-elasticsearch-7.4.4-2.el6.x86_64**** > > > rsyslog-udpspoof-7.4.4-2.el6.x86_64**** > > > rsyslog-7.4.4-2.el6.x86_64**** > > > rsyslog-mmnormalize-7.4.4-2.el6.x86_64**** > > >** ** > > > Jose Castillo**** > > > MicroTech ESS Contract**** > > > Phone (410) 597-0194**** > > > OTSO/DNE/NMB/NMST**** > > > Jose.Castillo at ssa.gov [1]**** > > >** ** > > >** ** > > >** ** > > > Links:**** > > > ------**** > > > [1] mailto:Jose.Castillo at ssa.gov **** > > ** ** > > --**** > > --**** > > - Champ Clark III**** > > Quadrant Information Security [http://quadrantsec.com]**** > > o: 904.296.9100 x101**** > > o: 800.539.9357 x101**** > > _______________________________________________**** > > Lognorm mailing list**** > > Lognorm at lists.adiscon.com**** > > http://lists.adiscon.net/mailman/listinfo/lognorm**** > > _______________________________________________ > Lognorm mailing list > Lognorm at lists.adiscon.com > http://lists.adiscon.net/mailman/listinfo/lognorm > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jose.Castillo at ssa.gov Mon Sep 23 15:18:38 2013 From: Jose.Castillo at ssa.gov (Castillo, Jose Contractor) Date: Mon, 23 Sep 2013 09:18:38 -0400 Subject: [Lognorm] liblognorm rules In-Reply-To: References: <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C074B@HQ-MB-07.ba.ad.ssa.gov> <88715ae17eaf0717fe4e548df0fa6b41@quadrantsec.com> <701C784DE99B0C4C9FDA9EDE66E23E661E6B9C07A8@HQ-MB-07.ba.ad.ssa.gov> Message-ID: <701C784DE99B0C4C9FDA9EDE66E23E661E727942E7@HQ-MB-07.ba.ad.ssa.gov> Yes, below list of packages installed on my server from adiscon repository: liblognorm-0.3.6-1.el6.x86_64 liblognorm-devel-0.3.6-1.el6.x86_64 liblognorm-utils-0.3.6-1.el6.x86_64 liblognorm-debuginfo-0.3.6-1.el6.x86_64 rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 rsyslog-debuginfo-7.4.4-2.el6.x86_64 rsyslog-mysql-7.4.4-2.el6.x86_64 rsyslog-elasticsearch-7.4.4-2.el6.x86_64 rsyslog-udpspoof-7.4.4-2.el6.x86_64 rsyslog-7.4.4-2.el6.x86_64 rsyslog-mmnormalize-7.4.4-2.el6.x86_64 From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards Sent: Monday, September 23, 2013 2:48 AM To: lognorm Subject: Re: [Lognorm] liblognorm rules do you have the latest version of liblognorm installed? I think I remember there was such a problem I fixed a couple of weeks ago... Rainer On Wed, Sep 18, 2013 at 9:42 PM, Castillo, Jose Contractor > wrote: Thanks, but it didn't work adding a space to the end. It works if I use only the first rule: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" It doesn't work if the next two rules are defined: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" "rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console" I think it's trying to match the second rule because "console" matches %cisco.user:word% and then is trying to match next characters, but I don't know why is not matching the first rule. Any additional advice? Thanks, Jose -----Original Message----- From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of cclark Sent: Wednesday, September 18, 2013 3:06 PM To: lognorm at lists.adiscon.com Subject: Re: [Lognorm] liblognorm rules I've seen this happen before with Cisco devices. Try this: In your rule, add a white space to the end. So instead of this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" Try this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console " Note the space at the end. On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote: > Hello, > > I'm testing rsyslog/liblognorm trying to parse syslog messages from > cisco devices, but in some cases liblognorm is not matching syslog > messages with corresponding rules. > > Please see next information and let me know if something is wrong. > > > ====================================================================== > ============================= > > # cat test.rulebase > prefix=%date:date-rfc3164% > rule=: %%SYS-5-CONFIG_I: Configured from console by console > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% > (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on vty%-:number% (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on console > > # lognormalizer -r test.rulebase > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console > [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured > from console by console" unparsed-data=""] Sep 18 13:09:02: > %SYS-5-CONFIG_I: Configured from console by vty0 > (192.168.1.1) > [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 > 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on > vty0 (192.168.1.2) > [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 > 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console > by user2 on console > [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"] > > ====================================================================== > =================================== > > > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from > console by console__"_) is not being parsed correctly. > > Output from lognormalizer in verbose mode: > > I'm working on a CentOS 6.4 virtual machine, and next packages have > been installed: > > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 > rsyslog-debuginfo-7.4.4-2.el6.x86_64 > rsyslog-mysql-7.4.4-2.el6.x86_64 > rsyslog-elasticsearch-7.4.4-2.el6.x86_64 > rsyslog-udpspoof-7.4.4-2.el6.x86_64 > rsyslog-7.4.4-2.el6.x86_64 > rsyslog-mmnormalize-7.4.4-2.el6.x86_64 > > Jose Castillo > MicroTech ESS Contract > Phone (410) 597-0194 > OTSO/DNE/NMB/NMST > Jose.Castillo at ssa.gov [1] > > > > Links: > ------ > [1] mailto:Jose.Castillo at ssa.gov -- -- - Champ Clark III Quadrant Information Security [http://quadrantsec.com] o: 904.296.9100 x101 o: 800.539.9357 x101 _______________________________________________ Lognorm mailing list Lognorm at lists.adiscon.com http://lists.adiscon.net/mailman/listinfo/lognorm _______________________________________________ Lognorm mailing list Lognorm at lists.adiscon.com http://lists.adiscon.net/mailman/listinfo/lognorm -------------- next part -------------- An HTML attachment was scrubbed... URL: