Re: [rsyslog] liblognorm vs grok

Mon, 05 Dec 2016 06:41:51 -0800 

Hi
Coming back to liblognorm, I have a few questions I'll love an expert reply. 0:D
*- Documentation [1] states how to define a type, but not how to use it. Are we properly using defined type "apache" in the configuration below?* 

- Apache access log seem to have 2 formats: common and combined [2]
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "referrer" "useragent" 
*How should we define our rulesets to have /optional/ fields?
- Our current workaround is to have a defined type and use it as part of a longer rule. Is that ok?*
*- How could we define logic to set a filed to "0" when content is "-"? (bytes field)* 

type=@apache:%[
    {"type":"ipv4", "name":"ip"},
    {"type":"literal", "text":" "},
    {"type":"word", "name":"ident"},
    {"type":"literal", "text":" "},
    {"type":"word", "name":"user"},
    {"type":"literal", "text":" ["},
    {"type":"char-to", "name":"date", "extradata":"]"},
    {"type":"literal", "text":"] \""},
    {"type":"word", "name":"method"},
    {"type":"literal", "text":" "},
    {"type":"char-to", "name":"request", "extradata":" "},
    {"type":"literal", "text":" HTTP/"},
    {"type":"float", "name":"httpversion"},
    {"type":"literal", "text":"\" "},
    {"type":"number", "name":"response"},
    {"type":"literal", "text":" "},
    {"type":"number", "name":"bytes"}
]%

rule=access:%[
    {"type":"@apache"},
    {"type":"literal", "text":"\""},
    {"type":"char-to", "name":"referrer", "extradata":"\""},
    {"type":"literal", "text":"\""},
    {"type":"char-to", "name":"useragent", "extradata":"\""}
]%
rule=access:%@apache%

[1] http://www.liblognorm.com/files/manual/configuration.html
[2] https://httpd.apache.org/docs/2.4/logs.html#accesslog
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to