> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Brian Knox > Sent: Wednesday, March 14, 2012 2:49 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog properties to CEE fields > > I'll definitely keep you (and the list) posted. Right now I'm working > with > "minimal" cee messages, more just as a good format for structured > messages > to give other people on my team something to work with, and not trying > to > cover the entirety of the CEE specification (which is rather daunting > for > someone just jumping in to it).
Actually,IMHO the current spec is still much work in progress. Don't let you stop by the spec. It's more important to get something useful working. If we achieve progress here, I am almost certain that progress will be moved over to the spec! Rainer > > A useful tool I've found at the moment is jvburnes' cee appender python > library, if anyone else is working on this sort of thing: > > http://code.google.com/p/cee-appender/ > > It provides a CEEEvent class for python that produces JSON encoded CEE > messages. > > On Wed, Mar 14, 2012 at 9:36 AM, Rainer Gerhards > <[email protected]>wrote: > > > I would really appreciate if you could keep us posted and contribute > the > > templates and mappings you have. I guess this is generally useful. > Also > > note > > that I have high on my todo list a iptables parser, that will put the > > iptables info "nicely" into the "cee" field list (actually the > messages > > structured part). You can already do that with mmnormalize, but it's > more > > straightforward with a dedicated module. My TODO list currently is: > > > > - some refactoring on local host identification (blog post coming up) > > - improve mongodb > > - do the iptables stuff > > - ... > > > > Rainer > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Brian Knox > > > Sent: Wednesday, March 14, 2012 2:32 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] rsyslog properties to CEE fields > > > > > > Nice. I figured you would provide a string gen module of some sort > > > once > > > the spec was finalized. For now for testing and experimenting I'll > > > just > > > whip up some "close enough" templates based on current CEE spec and > > > discussions. > > > > > > Brian > > > > > > On Wed, Mar 14, 2012 at 9:25 AM, Rainer Gerhards > > > <[email protected]>wrote: > > > > > > > -----Original Message----- > > > > > From: [email protected] [mailto:rsyslog- > > > > > [email protected]] On Behalf Of Brian Knox > > > > > Sent: Wednesday, March 14, 2012 2:22 PM > > > > > To: rsyslog-users > > > > > Subject: [rsyslog] rsyslog properties to CEE fields > > > > > > > > > > Is there an existing document that maps rsyslog properties ( > > > > > http://www.rsyslog.com/doc/property_replacer.html) and CEE > fields? > > > > No, simply because there is no stable reference yet of the CEE > > > fields. I > > > > whish myself I had such a list. > > > > > > > > Please note that I plan to provide a property remapping > capability > > > (maybe a > > > > plugin) in the not so distant future to rename CEE (better: JSON) > > > fields on > > > > the fly. A prime use case is keeping things consistent between > > > changing CEE > > > > (and other) dictionaries. > > > > > > > > Rainer > > > > > > > > > Before > > > > > I start working out the mapping myself I figured I'd check to > see > > > if it > > > > > were available. I'm working on some test / example rsyslog > > > templates > > > > > for > > > > > converting "unstructured" rfc3164 to "cee enhanced" syslog > > > messages. > > > > > > > > > > Brian > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/
