[Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace
Christopher.Racky at web.de
Christopher.Racky at web.de
Wed May 13 09:34:18 CEST 2015
Hi,
I'm right now defining some normalization rules.
Actually I'm still using the latest released version for red-hat, because on my system it seems to be quite complex to compile a binary version... Daily snapshot RPMs for RHEL would be great ;)
Some strange things happen:
1. *** Issue with bracket ***:
[root at bug ~]# echo "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)" | lognormalizer -r /etc/rsyslog4.rb
[cee at 115 event.tags="atd,sesopen" uid="0" tuser="root" processid="32016" rcvdfrom="hostname" rcvdat="Apr 29 09:17:14" prio="86" process="atd" action="session opened"]
==> Works great
Meanwhile the same rule (nothing changed in file) does not work with rsyslog8.9.
Issue is in the suffix: (uid=0).
Rule is:
rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by (uid=%uid:number%)
This rule, works for both (rsyslog and lognormalize):
rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by %uid:word%
2. *** Issues with whitespace ***
Data:
sudo: username
Rules:
rule=: sudo:%-:whitespace%%user:word%
rule=: sudo: %-:whitespace% %user:word%
[root at bug ~]# echo "<85>May 12 13:23:06 fritz sudo: username" |lognormalizer -r /etc/rsyslog4.rb
[cee at 115 originalmsg="<85>May 12 13:23:06 fritz sudo: username" unparsed-data=""]
3. "rest" topic is already known...
best regards
Chris
More information about the Lognorm
mailing list