[Lognorm] lognormalize and unrelevant rest of a message...

Pavel Levshin pavel at levshin.spb.ru
Mon May 11 12:36:39 CEST 2015 

It had been working once in 1.0, I believe.

lpk at freak:~$ echo "<38>May  8 14:32:38 fritz username: hallo1 asd" |  
lognormalizer -r rsyslog3.rb
[cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo1 asd" 
unparsed-data="asd"]
lpk at freak:~$ echo "<38>May  8 14:32:38 fritz username: hallo2 asd" |  
lognormalizer -r rsyslog3.rb
[cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo2 asd" 
unparsed-data="asd"]
lpk at freak:~$ echo "<38>May  8 14:32:38 fritz username: hallo3 asd" |  
lognormalizer -r rsyslog3.rb
[cee at 115 dontcare="asd" user="username" rcvdfrom="fritz" rcvdat="May  8 
14:32:38" prio="38"]

It was supposed to work this way, because there was no other means to 
parse partially structured strings.

Also, if you are trying to debug this, verbose output (-v) can be useful.

--
Pavel


11.05.2015 12:59, Christopher.Racky at web.de:
> Hi,
>
> I have several times the situation, that the message I want to normalize has got an "unrelevant" suffix, that I don't need.
>
> My first expectation was, that lognormalize matches for messages if all the prefix is the same. This is not the case.
> After that I tried it with these rules, but none of them seems to work.
>
> [root at bug ~]# cat /etc/rsyslog3.rb
> prefix=<%prio:number%>%rcvdat:date-rfc3164% %rcvdfrom:word%
> rule=: %user:char-to::%: hallo1 %dontcare:char-to:\xa%
> rule=: %user:char-to::%: hallo2 %dontcare:char-to:\xd%
> rule=: %user:char-to::%: hallo3 %dontcare:rest%
>
> As you can see, it does not work :-(
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo1 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo1 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo2 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo2 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo3 asd" unparsed-data="asd"]
>
>
> The documentation does not really mention something about that. From the comments about "rest" i think it should work, because it more tends to "match" to realy in liblognormalize 1.1...
> Do you have any hint how it is possible to "ignore" the rest of the message?
>
> Best regards
> Chris
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

More information about the Lognorm mailing list