When using the field type "word" remember that it takes all characters up
until the next whitespace. when using to obtain the "smtp" variable the
field type "word" is also including the bracket. Thus it fails shortly after
as a result of asking for it to follow with a ")".
To correct the rule remove the end bracket from literal after your smtp
selection as follows:
rule=:%id_msg:word% H=%host:word% (%smtp:word%
[%clientip:ipv4%]:%porta:word% Warning: "%tag:word% as %usuario:word%
detected message as %status_spam:word% spam (%-:number%.%-:number%)"
This isn't really practical since you do not really want the bracket so
another way to write the rule and exclude the brackets could be:
rule=:%id_msg:word% H=%host:word% (%smtp:char-to:)%)
[%clientip:ipv4%]:%porta:word% Warning: "%tag:word% as %usuario:word%
detected message as %status_spam:word% spam (%-:number%.%-:number%)"
The "char-to" field type lets you capture up to a specific character, which
in your case would be the ")".
Another nice way is to use the "string" field type with the additional
quoting parameters, as follows:
rule=:%id_msg:word% H=%host:word% %smtp:string{"quoting.char.begin":"(",
"quoting.char.end":")"}% [%clientip:ipv4%]:%porta:word% Warning: "%tag:word%
as %usuario:word% detected message as %status_spam:word% spam
(%-:number%.%-:number%)"
Note that that last one works with latest lognormailzier but you may need to
set "version=2" at the top of your rulebase file when using it with rsyslog.
~Regards
Matthew Gaetano
--
View this message in context:
http://rsyslog-users.1305293.n2.nabble.com/Rsyslog-to-JSON-parser-tp7591413p7591417.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
