[Lognorm] liblognorm rules

Castillo, Jose Contractor Jose.Castillo at ssa.gov
Mon Sep 23 15:18:38 CEST 2013 

Yes, below list of packages installed on my server from adiscon repository:

liblognorm-0.3.6-1.el6.x86_64
liblognorm-devel-0.3.6-1.el6.x86_64
liblognorm-utils-0.3.6-1.el6.x86_64
liblognorm-debuginfo-0.3.6-1.el6.x86_64

rsyslog-mmjsonparse-7.4.4-2.el6.x86_64
rsyslog-debuginfo-7.4.4-2.el6.x86_64
rsyslog-mysql-7.4.4-2.el6.x86_64
rsyslog-elasticsearch-7.4.4-2.el6.x86_64
rsyslog-udpspoof-7.4.4-2.el6.x86_64
rsyslog-7.4.4-2.el6.x86_64
rsyslog-mmnormalize-7.4.4-2.el6.x86_64

From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
Sent: Monday, September 23, 2013 2:48 AM
To: lognorm
Subject: Re: [Lognorm] liblognorm rules

do you have the latest version of liblognorm installed? I think I remember there was such a problem I fixed a couple of weeks ago...

Rainer

On Wed, Sep 18, 2013 at 9:42 PM, Castillo, Jose Contractor <Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov>> wrote:

Thanks, but it didn't work adding a space to the end.



It works if I use only the first rule:

"rule=: %%SYS-5-CONFIG_I: Configured from console by console"



It doesn't work if the next two rules are defined:

"rule=: %%SYS-5-CONFIG_I: Configured from console by console"

"rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console"





I think it's trying to match the second rule because "console" matches %cisco.user:word% and then is trying to match next characters, but I don't know why is not matching the first rule.



Any additional advice?



Thanks,

Jose









-----Original Message-----
From: lognorm-bounces at lists.adiscon.com<mailto:lognorm-bounces at lists.adiscon.com> [mailto:lognorm-bounces at lists.adiscon.com<mailto:lognorm-bounces at lists.adiscon.com>] On Behalf Of cclark
Sent: Wednesday, September 18, 2013 3:06 PM
To: lognorm at lists.adiscon.com<mailto:lognorm at lists.adiscon.com>
Subject: Re: [Lognorm] liblognorm rules



I've seen this happen before with Cisco devices.  Try this:  In your rule,  add a white space to the end.



So instead of this:



"rule=: %%SYS-5-CONFIG_I: Configured from console by console"



Try this:



"rule=: %%SYS-5-CONFIG_I: Configured from console by console "



Note the space at the end.







On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose   Contractor wrote:

> Hello,

>

> I'm testing rsyslog/liblognorm trying to parse syslog messages from

> cisco devices, but in some cases liblognorm is not matching syslog

> messages with corresponding rules.

>

> Please see next information and let me know if something is wrong.

>

>

> ======================================================================

> =============================

>

> # cat test.rulebase

> prefix=%date:date-rfc3164%

> rule=: %%SYS-5-CONFIG_I: Configured from console by console

> rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number%

> (%cisco.ip:ipv4%)

> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%

> on vty%-:number% (%cisco.ip:ipv4%)

> rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word%

> on console

>

> # lognormalizer -r test.rulebase

> Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console

> [cee at 115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured

> from console by console" unparsed-data=""] Sep 18 13:09:02:

> %SYS-5-CONFIG_I: Configured from console by vty0

> (192.168.1.1)

> [cee at 115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18

> 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on

> vty0 (192.168.1.2)

> [cee at 115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18

> 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console

> by user2 on console

> [cee at 115 cisco.user="user2" date="Sep 18 13:29:28:"]

>

> ======================================================================

> ===================================

>

>

> The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from

> console by console__"_) is not being parsed correctly.

>

> Output from lognormalizer in verbose mode:

>

> I'm working on a CentOS 6.4 virtual machine, and next packages have

> been installed:

>

> rsyslog-mmjsonparse-7.4.4-2.el6.x86_64

> rsyslog-debuginfo-7.4.4-2.el6.x86_64

> rsyslog-mysql-7.4.4-2.el6.x86_64

> rsyslog-elasticsearch-7.4.4-2.el6.x86_64

> rsyslog-udpspoof-7.4.4-2.el6.x86_64

> rsyslog-7.4.4-2.el6.x86_64

> rsyslog-mmnormalize-7.4.4-2.el6.x86_64

>

> Jose Castillo

> MicroTech ESS Contract

> Phone (410) 597-0194

> OTSO/DNE/NMB/NMST

> Jose.Castillo at ssa.gov<mailto:Jose.Castillo at ssa.gov> [1]

>

>

>

> Links:

> ------

> [1] mailto:Jose.Castillo at ssa.gov



--

--

- Champ Clark III

   Quadrant Information Security [http://quadrantsec.com]

   o: 904.296.9100 x101

   o: 800.539.9357 x101

_______________________________________________

Lognorm mailing list

Lognorm at lists.adiscon.com<mailto:Lognorm at lists.adiscon.com>

http://lists.adiscon.net/mailman/listinfo/lognorm

_______________________________________________
Lognorm mailing list
Lognorm at lists.adiscon.com<mailto:Lognorm at lists.adiscon.com>
http://lists.adiscon.net/mailman/listinfo/lognorm

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20130923/06246177/attachment.htm>

More information about the Lognorm mailing list