[Lognorm] liblognorm rules
Castillo, Jose Contractor
Jose.Castillo at ssa.gov
Wed Sep 18 21:42:16 CEST 2013
Thanks, but it didn't work adding a space to the end.
It works if I use only the first rule:
"rule=: %%SYS-5-CONFIG_I: Configured from console by console"
It doesn't work if the next two rules are defined:
"rule=: %%SYS-5-CONFIG_I: Configured from console by console"
"rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console"
I think it's trying to match the second rule because "console" matches %cisco.user:word% and then is trying to match next characters, but I don't know why is not matching the first rule.
Any additional advice?
Thanks,
Jose
-----Original Message-----
From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of cclark
Sent: Wednesday, September 18, 2013 3:06 PM
To: lognorm at lists.adiscon.com
Subject: Re: [Lognorm] liblognorm rules
I've seen this happen before with Cisco devices. Try this: In your rule, add a white space to the end.
So instead of this:
"rule=: %%SYS-5-CONFIG_I: Configured from console by console"
Try this:
"rule=: %%SYS-5-CONFIG_I: Configured from console by console "
Note the space at the end.
On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote:
> Hello,
>
> I'm testing rsyslog/liblognorm trying to parse syslog messages from
> cisco devices, but in some cases liblognorm is not matching syslog
> messages with corresponding rules.
>
> Please see next information and let me know if something is wrong.
>
>
> ======================================================================
> =============================
>
> # cat test.rulebase
> prefix=%date:date-rfc3164%
> rule=: %%SYS-5-CONFIG_I: Configured from console by console
> rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number%
> (%cisco.ip:ipv4%)
> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%
> on vty%-:number% (%cisco.ip:ipv4%)
> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%
> on console
>
> # lognormalizer -r test.rulebase
> Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console
> [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured
> from console by console" unparsed-data=""] Sep 18 13:09:02:
> %SYS-5-CONFIG_I: Configured from console by vty0
> (192.168.1.1)
> [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18
> 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on
> vty0 (192.168.1.2)
> [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18
> 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console
> by user2 on console
> [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]
>
> ======================================================================
> ===================================
>
>
> The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from
> console by console__"_) is not being parsed correctly.
>
> Output from lognormalizer in verbose mode:
>
> I'm working on a CentOS 6.4 virtual machine, and next packages have
> been installed:
>
> rsyslog-mmjsonparse-7.4.4-2.el6.x86_64
> rsyslog-debuginfo-7.4.4-2.el6.x86_64
> rsyslog-mysql-7.4.4-2.el6.x86_64
> rsyslog-elasticsearch-7.4.4-2.el6.x86_64
> rsyslog-udpspoof-7.4.4-2.el6.x86_64
> rsyslog-7.4.4-2.el6.x86_64
> rsyslog-mmnormalize-7.4.4-2.el6.x86_64
>
> Jose Castillo
> MicroTech ESS Contract
> Phone (410) 597-0194
> OTSO/DNE/NMB/NMST
> Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov> [1]
>
>
>
> Links:
> ------
> [1] mailto:Jose.Castillo at ssa.gov
--
--
- Champ Clark III
Quadrant Information Security [http://quadrantsec.com]
o: 904.296.9100 x101
o: 800.539.9357 x101
_______________________________________________
Lognorm mailing list
Lognorm at lists.adiscon.com<mailto:Lognorm at lists.adiscon.com>
http://lists.adiscon.net/mailman/listinfo/lognorm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130918/03c1d733/attachment.htm>
More information about the Lognorm
mailing list