[Lognorm] log classification with liblognorm
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Sep 10 08:35:37 CEST 2013
On Mon, Jul 15, 2013 at 4:07 PM, Castillo, Jose Contractor <
Jose.Castillo at ssa.gov> wrote:
> Rainer,****
>
> ** **
>
> I was able to get an extra field in the output file using “annotate” in
> the rule file, but when I use more than one tag in one rule rsyslog process
> die (Program terminated with signal 11, Segmentation fault).****
>
> ** **
>
> I sent detailed information about this issue to rsyslog list (thread:
> “log classification with lognorm issue”)****
>
> **
>
sorry this got thrashed due to my vacation and David just reminded me again
;)
Are you still interested in solving this? Then we would probably need you
to
a) move to 7.4.4
b) provide a debug log
Thanks,
Rainer
> **
>
> Thanks in advance for any help.****
>
> ** **
>
> Jose****
>
> ** **
>
> *From:* lognorm-bounces at lists.adiscon.com [mailto:
> lognorm-bounces at lists.adiscon.com] *On Behalf Of *Rainer Gerhards
> *Sent:* Monday, July 15, 2013 3:33 AM
>
> *To:* lognorm
> *Subject:* Re: [Lognorm] log classification with liblognorm****
>
> ** **
>
> David made me aware of this thread. Sorry for not responding further, I've
> been very busy and probably overlooked it. More inline...****
>
> ** **
>
> On Wed, Jun 26, 2013 at 10:41 PM, Castillo, Jose Contractor <
> Jose.Castillo at ssa.gov> wrote:****
>
> David,****
>
> ****
>
> I modified the template:****
>
> template(name="testFormat" type="string" string="%$!all-json%,tag='%$!*
> mytag*%'")****
>
> ****
>
> I also modified the rule to include mytag as a tag:****
>
> rule=*mytag*:%date:word% %host:ipv4% :
> %%ASA-%number0:number%-%number1:number%: Denied ICMP type=%number2:number%,
> code=%number3:number% from %origin:ipv4% on interface outside****
>
> ****
>
> And now I getting :****
>
> { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1":
> "313001", "number0": "3", "host": "0.0.0.0", "date":
> "2013-06-26T10:47:42+01:00" },tag=''****
>
> ****
>
> No tags are being written to the output file.****
>
> ****
>
> What am I doing wrong? ****
>
> ** **
>
> I need to check the code, but I think you are doing everything right.
> IIRC, tags were meant as classification method for rsyslog's engine
> (if-stmts). I think outputting them was not at the table when this was
> written. I am 90% sure, and will try to verify the rest within this week.*
> ***
>
> Rainer ****
>
> ****
>
> Thanks,****
>
> ****
>
> Jose****
>
> ****
>
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [
> mailto:lognorm-bounces at lists.adiscon.com<lognorm-bounces at lists.adiscon.com>]
> On Behalf Of David Lang
> Sent: Wednesday, June 26, 2013 3:11 PM
> To: lognorm
> Subject: Re: [Lognorm] log classification with liblognorm****
>
> ****
>
> the tags are accessed in rsyslog by $!<tag name>****
>
> ****
>
> so where you would have done %hostname% you could do %$!mytag%****
>
> ****
>
> David Lang****
>
> ****
>
> On Wed, 26 Jun 2013, Castillo, Jose Contractor wrote:****
>
> ****
>
> > Date: Wed, 26 Jun 2013 16:00:06 -0400****
>
> > From: "Castillo, Jose Contractor" <Jose.Castillo at ssa.gov>****
>
> > Reply-To: lognorm <lognorm at lists.adiscon.com>****
>
> > To: "lognorm at lists.adiscon.com" <lognorm at lists.adiscon.com>****
>
> > Subject: [Lognorm] log classification with liblognorm****
>
> > ****
>
> > Hello all,****
>
> >** **
>
> > I started to play using rsyslog/liblognorm a week ago, I'm testing them
> on a CentOS 6.4 virtual machine, and next packages have been installed from
> Adiscon repository:****
>
> > rsyslog-mysql-7.4.1-1.el6.x86_64****
>
> > rsyslog-mmjsonparse-7.4.1-1.el6.x86_64****
>
> > rsyslog-7.4.1-1.el6.x86_64****
>
> > rsyslog-mmnormalize-7.4.1-1.el6.x86_64****
>
> > rsyslog-udpspoof-7.4.1-1.el6.x86_64****
>
> > rsyslog-elasticsearch-7.4.1-1.el6.x86_64****
>
> >** **
>
> > I was reading next link, and now I'm trying to select subsets of
> messages based on liblognorm tags.****
>
> > http://blog.gerhards.net/2011/04/log-classification-with-liblognorm.ht**
> **
>
> > ml****
>
> >** **
>
> > So far, I was able to parse a message using mmnormalize module, and now
> I want to create outputs based on the liblognorm tag(s).****
>
> > Is this option supported within rsyslog.conf? Any example how to do it?*
> ***
>
> >** **
>
> > Below my testing files:****
>
> >** **
>
> > =================================================================****
>
> > rsyslog.conf file:****
>
> > module (load="imudp")****
>
> > module (load="mmnormalize")****
>
> > module (load="mmjsonparse")****
>
> >** **
>
> > input(type="imudp" address="192.168.1.1" port="514" ruleset="test")****
>
> >** **
>
> > template(name="testFormat" type="string" string="%$!all-json%\n")****
>
> >** **
>
> > ruleset(name="test") {****
>
> > action(type="mmnormalize" userawmsg="on"
> rulebase="/data/syslog/rulebase.rb")****
>
> > action(type="omfile" file="/data/syslog/test-syslog.log" ****
>
> > template="testFormat") }****
>
> >** **
>
> > rulebase.rb file:****
>
> > rule=test:%date:word% %host:ipv4% : ****
>
> > %%ASA-%number0:number%-%number1:number%: Denied ICMP ****
>
> > type=%number2:number%, code=%number3:number% from %origin:ipv4% on ****
>
> > interface outside****
>
> >** **
>
> > test-syslog.log file:****
>
> > { "origin": "77.2.2.2", "number3": "0", "number2": "8", "number1": ****
>
> > "313001", "number0": "3", "host": "0.0.0.0", "date": ****
>
> > "2013-06-26T10:47:42+01:00" }****
>
> >** **
>
> > Message:****
>
> > "2013-06-26T10:47:42+01:00 0.0.0.0 : %ASA-3-313001: Denied ICMP type=8,
> code=0 from 77.2.2.2 on interface outside"****
>
> > ======================================================================**
> **
>
> >** **
>
> >** **
>
> > Thanks in advance for any help,****
>
> >** **
>
> > Jose Castillo****
>
> >** **
>
> >** **
>
> >** **
>
> >** **
>
> ****
>
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm****
>
> ** **
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130910/71eb22b0/attachment-0001.htm>
More information about the Lognorm
mailing list