[rsyslog-notify] Forum Thread: Re: mmnormalize rulebase and dateconvert - (Mode 'reply')

[noreply at adiscon.com]

User: vdesabou 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25645#p25645

Message: 
----------
[quote="teifler":3vlzybq7]Sorry but at the moment I also don't have a
solution for this problem.

Tim[/quote:3vlzybq7]

No Problem.
As it was a blocking issue for my project, I implemented a "hack" in
liblognorm: I added a "date-epoch" parser which does:

[code:3vlzybq7]
./lognormalizer -r /home/vdesabou/date-epoch.rb -e json <
/home/vdesabou/test.log
{ "parsed_date": { "original": "1427882444", "readable":
"2015-04-01 10:00:44 GMT" } }
[/code:3vlzybq7]

[code:3vlzybq7]
cat /home/vdesabou/date-epoch.rb
rule=epoch:%parsed_date:date-epoch%
[/code:3vlzybq7]

[code:3vlzybq7]
cat /home/vdesabou/test.log
1427882444
[/code:3vlzybq7]

I believe it is not really the right place to do conversion like this in a
liblognorm parser (maybe a rainerscript function would be more appropriate?
) but as I'm already compiling liblognorm because I need the CEF parser 
and no release has been done yet, I'm doing it in there. Anyway, It does
the trick for my very particular use case !