[Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace

Rainer Gerhards rgerhards at hq.adiscon.com
Wed May 13 11:29:54 CEST 2015 

2015-05-13 9:34 GMT+02:00  <Christopher.Racky at web.de>:
> Hi,
> I'm right now defining some normalization rules.
> Actually I'm still using the latest released version for red-hat, because on my system it seems to be quite complex to compile a binary version... Daily snapshot RPMs for RHEL would be great ;)
>
>
> Some strange things happen:
>
> 1. *** Issue with bracket ***:
> [root at bug ~]# echo "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)" | lognormalizer -r /etc/rsyslog4.rb
> [cee at 115 event.tags="atd,sesopen" uid="0" tuser="root" processid="32016" rcvdfrom="hostname" rcvdat="Apr 29 09:17:14" prio="86" process="atd" action="session opened"]
>
> ==> Works great
> Meanwhile the same rule (nothing changed in file) does not work with rsyslog8.9.
> Issue is in the suffix: (uid=0).

I don't understand what you mean here (in regard to suffix).

Is this with the same liblognorm? Than it's really strange. I suggest
to open a github issue tracker

if it's with the same version of liblognorm --> issue for rsyslog
otherwise --> issue for liblognorm

but please explain what I did not understand.

>
> Rule is:
> rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by (uid=%uid:number%)
>
> This rule, works for both (rsyslog and lognormalize):
> rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by %uid:word%
>
>
> 2. *** Issues with whitespace ***
>
> Data:
>  sudo:   username
>
> Rules:
> rule=: sudo:%-:whitespace%%user:word%
> rule=: sudo: %-:whitespace% %user:word%
>
>
> [root at bug ~]# echo "<85>May 12 13:23:06 fritz sudo:  username" |lognormalizer -r /etc/rsyslog4.rb
> [cee at 115 originalmsg="<85>May 12 13:23:06 fritz sudo:  username" unparsed-data=""]

I guess that's another incartnation of
https://github.com/rsyslog/liblognorm/issues/57

>
> 3. "rest" topic is already known...
and fixed (at least as far as possible for such a broad syntax)! Patch
is in github.

Rainer
>
>
> best regards
> Chris
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

More information about the Lognorm mailing list