[Lognorm] Single Quote
Adam Williams
adam at spreedly.com
Mon Apr 11 16:49:25 CEST 2016
Hello,
I'm having a very difficult time discerning from the documentation at
http://www.liblognorm.com/files/manual/configuration.html exactly how
to get the results I would expect from a very simple example.
$ echo " event='nginx request'" | /usr/lib/lognorm/lognormalizer
-r /etc/rsyslog.d/normalize_nginx.rules
[cee at 115 originalmsg=" event='nginx request'" unparsed-data="request'"]
The rules file is:
version=2
rule=: event='nginx %event:word%'
I note in the documentation that there are some rule examples with a '
(single quote) at the end of the line, where the sample data has no
such ending character.
rule=:%f:ref'
CEF:0|Vendor|Product|Version|Signature ID|some name|Severity|
aa=field1 bb=this is a value cc=field 3
However, there is no documentation explaining what that means.
I have success when I remove the single quotes from my sample data and rule.
$ echo " event=nginx request" | /usr/lib/lognorm/lognormalizer -r
/etc/rsyslog.d/normalize_nginx.rules
[cee at 115 auth="request"]
Please help me to see what I am missing, thank you.
Adam
More information about the Lognorm
mailing list