you would create a new parser with pmnormalize and then define a new parser
chain that would use the pmnormalize parser first, then the fallbacks that you
want.
most people use mmnormalize to parse the msg part later in the config, the
pmnormalize is normally used for situations where the log does not have the
headers as defined by either rfc (3164 or 5424)
David Lang
On Tue, 23 Apr 2019, Brian Candler via rsyslog wrote:
Date: Tue, 23 Apr 2019 18:44:21 +0100
From: Brian Candler via rsyslog <[email protected]>
To: [email protected]
Cc: Brian Candler <[email protected]>
Subject: [rsyslog] Using syslog parsers in conjunction with pmnormalize
As I understand it, the default parser chain in rsyslog is
[rsyslog.rfc5424, rsyslog.rfc3164]. This provides helpful fallback
behaviour: it tries to parse the message as rfc5424, and if that fails,
will parse it as rfc3164.
I would like to extract fields out of the "msg" part using pmnormalize,
but I can't see how to do this. The documentation says that a parser
which accepts a message prevents further processing by another parser in
the chain.
I could rewrite all the rfc5424 and rfc3164 logic as liblognorm rules,
but that would be painful. Furthermore, even with a suitable 'prefix'
setting I'd probably have to include the ruleset at least twice:
prefix=<pattern-for-rfc5424>
include=myrules.rb
prefix=<pattern-for-rfc3164>
include=myrules.rb
# catchall for unstructured messages
prefix=
include=myrules.rb
I even thought about getting one rsyslog instance to do the rfc5424/3164
parsing, and then pass this in a structured format (e.g. JSON) to
another rsyslog. But then I can't see how to get pmnormalize to process
a single field out of the message, as opposed to the whole JSON message
(and I don't want to throw away all the other message metadata).
Is there another way to achieve what I'm looking for?
Thanks,
Brian.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
