[Lognorm] lognormalize and unrelevant rest of a message...

Rainer Gerhards rgerhards at hq.adiscon.com
Mon May 11 12:01:31 CEST 2015 

"rest" was more or less random in all released versions (besides that
I always caution against using "rest", IMHO it's way too broad.
Anyhow, git master contains an improved "rest" matcher. I suggest you
build from git source and see if that solves your problem.

HTH
Rainer

2015-05-11 11:59 GMT+02:00  <Christopher.Racky at web.de>:
> Hi,
>
> I have several times the situation, that the message I want to normalize has got an "unrelevant" suffix, that I don't need.
>
> My first expectation was, that lognormalize matches for messages if all the prefix is the same. This is not the case.
> After that I tried it with these rules, but none of them seems to work.
>
> [root at bug ~]# cat /etc/rsyslog3.rb
> prefix=<%prio:number%>%rcvdat:date-rfc3164% %rcvdfrom:word%
> rule=: %user:char-to::%: hallo1 %dontcare:char-to:\xa%
> rule=: %user:char-to::%: hallo2 %dontcare:char-to:\xd%
> rule=: %user:char-to::%: hallo3 %dontcare:rest%
>
> As you can see, it does not work :-(
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo1 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo1 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo2 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo2 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo3 asd" unparsed-data="asd"]
>
>
> The documentation does not really mention something about that. From the comments about "rest" i think it should work, because it more tends to "match" to realy in liblognormalize 1.1...
> Do you have any hint how it is possible to "ignore" the rest of the message?
>
> Best regards
> Chris
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

More information about the Lognorm mailing list