Re: [rsyslog] Liblognorm: repeat function does not respect special names

Fri, 03 Mar 2017 04:20:00 -0800 

On Thu, 2 Mar 2017, matthew.gaetano wrote:


In an attempt to work around the iptables function restrictions i've turned
to the user data types, alternative, and repeat functions to cope. Its a bit
messy and probably not efficient but it works for the most part. My only
issue at the moment is that i do not wish to store the matches under in a
subtree.

Per the documentation this can be avoided by using using the name of ".";
like wise using the name of "-" would match but not store the value(s).

When using either in the name property for the repeat function it is not
respected. I do not know if this is intentional or not. Currently i assume
it is to avoid conflicts in field names.

To provide some context my same event/log is:
date=2017-03-02 time=16:26:51 devname=localhost devid=FG100D
logid=0000000013 type=traffic subtype=forward level=notice vd=Transparent
srcip=192.168.1.1

My rule base file is:
version=2
type=@FG:date=%date:word%
type=@FG:time=%time:word%
type=@FG:%-:char-to:=%=%-:word%
rule=:%{
       "type":"repeat", "name":".",
       "parser":[
                 {"type":"@FG", "name":"."},
       ],
       "while":[
                 {"type":"literal", "text":" "}
       ]
}%

Execution is:
cat test.log |lognormalizer -e json -r test.rb

Result is:
{ ".": [ { "date": "2017-03-02" }, { "time": "16:26:51" }, { }, { }, { }, {
}, { }, { }, { }, { } ] }



This looks like a couple potential bugs
the top "." is not being handled as I would expect (although, the fact that repeat returns an array of things and the top level is an object means that there needs to be some name, you can't have {[stuff]}, that's not valid json) 

if it's matching spaces, tehy should be quoted.


When using "-" as the name for the repeat function the following result
occurs:
liblognorm error: rulebase file test.rb[32]: invalid param for hexnumber:
"-"
{ }
This is exactly what '-' does, it throws away whatever matches, so if you don't have anything else, you would end up with a blank object. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to