[Lognorm] liblognorm rules

Rainer Gerhards rgerhards at hq.adiscon.com
Mon Sep 23 08:47:55 CEST 2013 

do you have the latest version of liblognorm installed? I think I remember
there was such a problem I fixed a couple of weeks ago...

Rainer


On Wed, Sep 18, 2013 at 9:42 PM, Castillo, Jose Contractor <
Jose.Castillo at ssa.gov> wrote:

> Thanks, but it didn't work adding a space to the end.****
>
> ** **
>
> It works if I use only the first rule:****
>
> "*rule=: %%SYS-5-CONFIG_I: Configured from console by console*"****
>
> ** **
>
> It doesn’t work if the next two rules are defined:****
>
> "*rule=: %%SYS-5-CONFIG_I: Configured from console by console*"****
>
> “*rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%
> on console*”****
>
> ** **
>
> ** **
>
> I think it’s trying to match the second rule because “*console*” matches %
> *cisco.user:word% *and then is trying to match next characters, but I
> don’t know why is not matching the first rule.****
>
> ** **
>
> Any additional advice?****
>
> ** **
>
> Thanks,****
>
> Jose****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:
> lognorm-bounces at lists.adiscon.com] On Behalf Of cclark
> Sent: Wednesday, September 18, 2013 3:06 PM
> To: lognorm at lists.adiscon.com
> Subject: Re: [Lognorm] liblognorm rules
>
> ** **
>
> I've seen this happen before with Cisco devices.  Try this:  In your
> rule,  add a white space to the end.****
>
> ** **
>
> So instead of this:****
>
> ** **
>
> "rule=: %%SYS-5-CONFIG_I: Configured from console by console"****
>
> ** **
>
> Try this:****
>
> ** **
>
> "rule=: %%SYS-5-CONFIG_I: Configured from console by console "****
>
> ** **
>
> Note the space at the end.****
>
> ** **
>
> ** **
>
> ** **
>
> On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose   Contractor wrote:****
>
> > Hello,****
>
> >** **
>
> > I'm testing rsyslog/liblognorm trying to parse syslog messages from ****
>
> > cisco devices, but in some cases liblognorm is not matching syslog ****
>
> > messages with corresponding rules.****
>
> >** **
>
> > Please see next information and let me know if something is wrong.****
>
> >** **
>
> > ****
>
> > ======================================================================**
> **
>
> > =============================****
>
> >** **
>
> > # cat test.rulebase****
>
> > prefix=%date:date-rfc3164%****
>
> > rule=: %%SYS-5-CONFIG_I: Configured from console by console****
>
> > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number%****
>
> > (%cisco.ip:ipv4%)****
>
> > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% **
> **
>
> > on vty%-:number% (%cisco.ip:ipv4%)****
>
> > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% **
> **
>
> > on console****
>
> >** **
>
> > # lognormalizer -r test.rulebase****
>
> > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console****
>
> > [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured ****
>
> > from console by console" unparsed-data=""] Sep 18 13:09:02: ****
>
> > %SYS-5-CONFIG_I: Configured from console by vty0****
>
> > (192.168.1.1)****
>
> > [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 ****
>
> > 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on****
>
> > vty0 (192.168.1.2)****
>
> > [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 ****
>
> > 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console **
> **
>
> > by user2 on console****
>
> > [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]****
>
> > ****
>
> > ======================================================================**
> **
>
> > ===================================****
>
> >** **
>
> >** **
>
> > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from *
> ***
>
> > console by console__"_) is not being parsed correctly.****
>
> >** **
>
> > Output from lognormalizer in verbose mode:****
>
> >** **
>
> > I'm working on a CentOS 6.4 virtual machine, and next packages have ****
>
> > been installed:****
>
> >** **
>
> > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64****
>
> > rsyslog-debuginfo-7.4.4-2.el6.x86_64****
>
> > rsyslog-mysql-7.4.4-2.el6.x86_64****
>
> > rsyslog-elasticsearch-7.4.4-2.el6.x86_64****
>
> > rsyslog-udpspoof-7.4.4-2.el6.x86_64****
>
> > rsyslog-7.4.4-2.el6.x86_64****
>
> > rsyslog-mmnormalize-7.4.4-2.el6.x86_64****
>
> >** **
>
> > Jose Castillo****
>
> > MicroTech ESS Contract****
>
> > Phone (410) 597-0194****
>
> > OTSO/DNE/NMB/NMST****
>
> > Jose.Castillo at ssa.gov [1]****
>
> >** **
>
> >** **
>
> >** **
>
> > Links:****
>
> > ------****
>
> > [1] mailto:Jose.Castillo at ssa.gov <Jose.Castillo at ssa.gov>****
>
> ** **
>
> --****
>
> --****
>
> - Champ Clark III****
>
>    Quadrant Information Security [http://quadrantsec.com]****
>
>    o: 904.296.9100 x101****
>
>    o: 800.539.9357 x101****
>
> _______________________________________________****
>
> Lognorm mailing list****
>
> Lognorm at lists.adiscon.com****
>
> http://lists.adiscon.net/mailman/listinfo/lognorm****
>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130923/1bb8eae0/attachment-0001.htm>

More information about the Lognorm mailing list