[Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace

Rainer Gerhards rgerhards at hq.adiscon.com
Fri May 15 08:46:24 CEST 2015 

2015-05-15 7:35 GMT+02:00  <Christopher.Racky at web.de>:
>
>> Gesendet: Mittwoch, 13. Mai 2015 um 11:29 Uhr
>> Von: "Rainer Gerhards" <rgerhards at hq.adiscon.com>
>> An: lognorm <lognorm at lists.adiscon.com>
>> Betreff: Re: [Lognorm] Bugs in lognormalize and/or rsyslog bracket / Whitespace
>> > Hi,
>> > I'm right now defining some normalization rules.
>> > Actually I'm still using the latest released version for red-hat, because on my system it seems to be quite complex to compile a binary version... Daily snapshot RPMs for RHEL would be great ;)
>> > 1. *** Issue with bracket ***:
>> > [root at bug ~]# echo "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)" | lognormalizer -r /etc/rsyslog4.rb
>> > [cee at 115 event.tags="atd,sesopen" uid="0" tuser="root" processid="32016" rcvdfrom="hostname" rcvdat="Apr 29 09:17:14" prio="86" process="atd" action="session opened"]
>> >
>> > ==> Works great
>> > Meanwhile the same rule (nothing changed in file) does not work with rsyslog8.9.
>> > Issue is in the suffix: (uid=0).
>>
>> I don't understand what you mean here (in regard to suffix).
>>
>> Is this with the same liblognorm? Than it's really strange. I suggest
>> to open a github issue tracker
>>
>> if it's with the same version of liblognorm --> issue for rsyslog
>> otherwise --> issue for liblognorm
>>
>> but please explain what I did not understand.
>
> Yes, the rule works fine with lognormalizer command, but not in rsyslog.
> I will open a Ticket for that at rsylog.

I would guess that the problem is rooted in a proptery that is
different than you expect. I suggest to ask that question first on the
rsyslog mailing list, chances are good we can nail it down there ( I
don't want to do it here).

Rainer

> All other rules (about 30 rules) works fine.
> If I reduce the message from
> "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by (uid=0)"
> to
> "<86>Apr 29 09:17:14 hostname atd[32016]: pam_unix(atd:session): session opened for user root by "
> by using the reduced filter:
>  prefix:=...
>  rule=: atd[%processid:number%]: pam_unix(atd:session): session opened for user %tuser:word% by
> matching in rsyslog (and lognormalizer) works.
> So with suffix, I did not mean the keyword in liblognormalizer, just the suffix/ending of the string, in characters: (uid=0)
>
> Chris
>
>
>> I guess that's another incartnation of
>> https://github.com/rsyslog/liblognorm/issues/57
>>
>> >
>> > 3. "rest" topic is already known...
>> and fixed (at least as far as possible for such a broad syntax)! Patch
>> is in github.
>>
>> Rainer
>> >
>> >
>> > best regards
>> > Chris
>> > _______________________________________________
>> > Lognorm mailing list
>> > Lognorm at lists.adiscon.com
>> > http://lists.adiscon.net/mailman/listinfo/lognorm
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
>>
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm

More information about the Lognorm mailing list