I found an odd situation where the liblognorm rules I'm using won't
match unless I first strip out tab characters before having mmnormalize
process the content.
Is this expected behavior? Thank you in advance for your help.
rsyslog snippet:
if ($programname startswith 'myapp') then {
set $.msg = replace($.msg, '\t', ' ');
action(
type="mmnormalize"
variable="$.msg"
path="$.myapp!log-msg"
rulebase="/etc/rsyslog/myapp-log-patterns.rb"
)
action(
type="omfile"
file="/var/log/rsyslog-myapp-debug.log"
template="RSYSLOG_DebugFormat"
)
}
liblognorm rules:
They're not shown here, but the flat-file examples listed below (which
are ingested by imfile) contain one or MORE tab characters separating
the columns.
# 2018-02-21 15:25:33 Login.Intruder.User 111.222.333.444
mouse123456 5 failed login attempts; evading username
rule=:%datestamp:date-iso%%-:whitespace%%timestamp:time-24hr%%-:whitespace%%event:word%%-:whitespace%%ip:ipv4%%-:whitespace%%auth:word%%-:rest%
# 2018-02-21 15:25:50 Login.Intruder.IP 111.222.333.444 mouse123456
rule=:%datestamp:date-iso%%-:whitespace%%timestamp:time-24hr%%-:whitespace%%event:word%%-:whitespace%%ip:ipv4%%-:whitespace%%auth:word%
I tried using both v1 and v2 rules, all with no luck; evidently I'm
doing something wrong. As noted, I had to first strip out tab before the
rules shown above work.
Links:
-
https://github.com/deoren/rsyslog-examples/blob/master/mailing-list/liblognorm/tabs_are_a_pain/rsyslog-snippet.conf
-
https://github.com/deoren/rsyslog-examples/blob/master/mailing-list/liblognorm/tabs_are_a_pain/intruders-log-patterns.rb
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
