[Lognorm] liblognorm rules

Castillo, Jose Contractor Jose.Castillo at ssa.gov
Wed Sep 18 18:16:57 CEST 2013 

Hello,

I'm testing rsyslog/liblognorm trying to parse syslog messages from cisco devices, but in some cases liblognorm is not matching syslog messages with corresponding rules.

Please see next information and let me know if something is wrong.

===================================================================================================
# cat test.rulebase
prefix=%date:date-rfc3164%
rule=: %%SYS-5-CONFIG_I: Configured from console by console
rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% (%cisco.ip:ipv4%)
rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on vty%-:number% (%cisco.ip:ipv4%)
rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console

# lognormalizer -r test.rulebase
Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console
[cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console" unparsed-data=""]
Sep 18 13:09:02: %SYS-5-CONFIG_I: Configured from console by vty0 (192.168.1.1)
[cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"]
Sep 18 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on vty0 (192.168.1.2)
[cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 13:15:29:"]
Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console by user2 on console
[cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]
=========================================================================================================

The first message ("Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console") is not being parsed correctly.

Output from lognormalizer in verbose mode:


I'm working on a CentOS 6.4 virtual machine, and next packages have been installed:

rsyslog-mmjsonparse-7.4.4-2.el6.x86_64
rsyslog-debuginfo-7.4.4-2.el6.x86_64
rsyslog-mysql-7.4.4-2.el6.x86_64
rsyslog-elasticsearch-7.4.4-2.el6.x86_64
rsyslog-udpspoof-7.4.4-2.el6.x86_64
rsyslog-7.4.4-2.el6.x86_64
rsyslog-mmnormalize-7.4.4-2.el6.x86_64



Jose Castillo
MicroTech ESS Contract
Phone (410) 597-0194
OTSO/DNE/NMB/NMST
Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130918/f6ff5038/attachment-0001.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.txt
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130918/f6ff5038/attachment-0001.txt>

More information about the Lognorm mailing list