I think action parameter is the most flexible place to have it at. Because same rulebase can be used with different values.
Either module or rulebase level param will be less flexible compared to this. -- Regards, Janmejay PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology. On Jan 28, 2015 10:48 AM, "David Lang" <da...@lang.hm> wrote: > On Wed, 28 Jan 2015, singh.janmejay wrote: > > Ok, one way I can think of doing it: expose a parameter at action/module >> level which turns on defaulting and picks a default string. >> >> Eg. >> >> action(type="mmnormalize " nullMarker="-") >> >> Where nullMarker is a string (not a char). >> >> Whenever a "-" is encountered and a field is expected, it should skip the >> key(the key will not be present at all) and continue matching next token >> onwards. >> >> Thoughts? >> > > This needs to be something in the liblognorm config, not in rsyslog. > different types of logs would have different nullMarker strings. > > with that adjustment, I think it's a good idea. > > David Lang > > -- >> Regards, >> Janmejay >> >> PS: Please blame the typos in this mail on my phone's uncivilized soft >> keyboard sporting it's not-so-smart-assist technology. >> >> On Jan 28, 2015 6:38 AM, "David Lang" <da...@lang.hm> wrote: >> >> On Wed, 28 Jan 2015, singh.janmejay wrote: >>> >>> May be it'll be useful to discuss what you want to achieve with such >>> >>>> representations of sample. I mean if possible, take a few samples from >>>> your >>>> existing rulebase which you think highlight the problem(s) you are >>>> facing. >>>> >>>> >>> I think the example is the Apache logs, where Apache either puts a value, >>> or it puts a placeholder '-' >>> >>> if you want to capture a specific type (number or ip address for >>> example), >>> you won't match a log entry that has a - in that field. >>> >>> If there are only a couple fields that are like this, you can list all >>> the >>> combinations in the ruleset, but if you have a lot of fields like this, >>> the >>> combinatorial explosion would make for a LOT of rules. >>> >>> So I don't think he really needs a generic 'or' allowing any types to be >>> combined as much as a way to say "this field could be this type or this >>> constant" >>> >>> David Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
