[Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace
Christopher.Racky at web.de
Christopher.Racky at web.de
Fri May 15 07:35:04 CEST 2015
> Gesendet: Mittwoch, 13. Mai 2015 um 11:29 Uhr
> Von: "Rainer Gerhards" <rgerhards at hq.adiscon.com>
> An: lognorm <lognorm at lists.adiscon.com>
> Betreff: Re: [Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace
> > Hi,
> > I'm right now defining some normalization rules.
> > Actually I'm still using the latest released version for red-hat, because on my system it seems to be quite complex to compile a binary version... Daily snapshot RPMs for RHEL would be great ;)
> > 1. *** Issue with bracket ***:
> > [root at bug ~]# echo "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)" | lognormalizer -r /etc/rsyslog4.rb
> > [cee at 115 event.tags="atd,sesopen" uid="0" tuser="root" processid="32016" rcvdfrom="hostname" rcvdat="Apr 29 09:17:14" prio="86" process="atd" action="session opened"]
> >
> > ==> Works great
> > Meanwhile the same rule (nothing changed in file) does not work with rsyslog8.9.
> > Issue is in the suffix: (uid=0).
>
> I don't understand what you mean here (in regard to suffix).
>
> Is this with the same liblognorm? Than it's really strange. I suggest
> to open a github issue tracker
>
> if it's with the same version of liblognorm --> issue for rsyslog
> otherwise --> issue for liblognorm
>
> but please explain what I did not understand.
Yes, the rule works fine with lognormalizer command, but not in rsyslog.
I will open a Ticket for that at rsylog. All other rules (about 30 rules) works fine.
If I reduce the message from
"<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)"
to
"<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by "
by using the reduced filter:
prefix:=...
rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by
matching in rsyslog (and lognormalizer) works.
So with suffix, I did not mean the keyword in liblognormalizer, just the suffix/ending of the string, in characters: (uid=0)
Chris
> I guess that's another incartnation of
> https://github.com/rsyslog/liblognorm/issues/57
>
> >
> > 3. "rest" topic is already known...
> and fixed (at least as far as possible for such a broad syntax)! Patch
> is in github.
>
> Rainer
> >
> >
> > best regards
> > Chris
> > _______________________________________________
> > Lognorm mailing list
> > Lognorm at lists.adiscon.com
> > http://lists.adiscon.net/mailman/listinfo/lognorm
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
>
More information about the Lognorm
mailing list