[Lognorm] lognormalize and unrelevant rest of a message...

[Christopher.Racky at web.de]

Hi,

I have several times the situation, that the message I want to normalize has got an "unrelevant" suffix, that I don't need.

My first expectation was, that lognormalize matches for messages if all the prefix is the same. This is not the case.
After that I tried it with these rules, but none of them seems to work.

[root at bug ~]# cat /etc/rsyslog3.rb
prefix=<%prio:number%>%rcvdat:date-rfc3164% %rcvdfrom:word%
rule=: %user:char-to::%: hallo1 %dontcare:char-to:\xa%
rule=: %user:char-to::%: hallo2 %dontcare:char-to:\xd%
rule=: %user:char-to::%: hallo3 %dontcare:rest%

As you can see, it does not work :-(
[root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo1 asd" |  lognormalizer -r /etc/rsyslog3.rb
[cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo1 asd" unparsed-data="asd"]
[root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo2 asd" |  lognormalizer -r /etc/rsyslog3.rb
[cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo2 asd" unparsed-data="asd"]
[root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" |  lognormalizer -r /etc/rsyslog3.rb
[cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo3 asd" unparsed-data="asd"]


The documentation does not really mention something about that. From the comments about "rest" i think it should work, because it more tends to "match" to realy in liblognormalize 1.1...
Do you have any hint how it is possible to "ignore" the rest of the message?

Best regards
Chris