[Lognorm] lognormalize and unrelevant rest of a message...

David Lang david at lang.hm
Tue May 12 03:27:05 CEST 2015 

On Mon, 11 May 2015, Christopher.Racky at web.de wrote:

> Hi,
>
> I have several times the situation, that the message I want to normalize has got an "unrelevant" suffix, that I don't need.
>
> My first expectation was, that lognormalize matches for messages if all the prefix is the same. This is not the case.
> After that I tried it with these rules, but none of them seems to work.
>
> [root at bug ~]# cat /etc/rsyslog3.rb
> prefix=<%prio:number%>%rcvdat:date-rfc3164% %rcvdfrom:word%
> rule=: %user:char-to::%: hallo1 %dontcare:char-to:\xa%
> rule=: %user:char-to::%: hallo2 %dontcare:char-to:\xd%
> rule=: %user:char-to::%: hallo3 %dontcare:rest%
>
> As you can see, it does not work :-(
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo1 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo1 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo2 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo2 asd" unparsed-data="asd"]
> [root at bug ~]# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" |  lognormalizer -r /etc/rsyslog3.rb
> [cee at 115 originalmsg="<38>May  8 14:32:38 fritz username: hallo3 asd" unparsed-data="asd"]
>
>
> The documentation does not really mention something about that. From the comments about "rest" i think it should work, because it more tends to "match" to realy in liblognormalize 1.1...
> Do you have any hint how it is possible to "ignore" the rest of the message?

compiled from git last week

# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" | 
/usr/lib/lognorm/lognormalizer -r del4
[cee at 115 dontcare="asd" user="username" rcvdfrom="fritz" rcvdat="May  8 
14:32:38" prio="38"]

also, if you change 'dontcare' to '-' it throws the value away

# echo "<38>May  8 14:32:38 fritz username: hallo3 asd" | 
/usr/lib/lognorm/lognormalizer -r del4
[cee at 115 user="username" rcvdfrom="fritz" rcvdat="May  8 14:32:38" prio="38"]

# cat del4
prefix=<%prio:number%>%rcvdat:date-rfc3164% %rcvdfrom:word%
rule=: %user:char-to::%: hallo1 %dontcare:char-to:\xa%
rule=: %user:char-to::%: hallo2 %dontcare:char-to:\xd%
rule=: %user:char-to::%: hallo3 %-:rest%

David Lang

More information about the Lognorm mailing list