> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: Thursday, December 02, 2010 5:15 PM > To: rsyslog-users > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Champ Clark III [Softwink] > > Sent: Thursday, December 02, 2010 5:10 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Fun with liblognorm / rsyslog > > > > > It is! And I am well aware of it. In rsyslog, I have the same > issue. > > I think > > > of something like a "common prefix" inside the sample db (maybe > > rulebase is a > > > better name, btw :)). That would be common to all rules, and only > the > > common > > > prefix would need to be changed for different headers. It's not > 100% > > sorted > > > out, there is still enough work to do on the core engine (needs > more > > parsers, > > > parser priority, str optimizations). > > > > That makes sense, if I understand correctly. Basically some > > way you can "tell" the library, Ie - "I only have the 'message' > > portion, so apply the rule base to it, but only using the 'message' > > portion of the rule"? That sort of thing? > > simpler: the rule base (I tend to switch to this term ;)) will have an > extra > entry, e.g. > > commonPrefix=<%PRI:PRI%>%date:date-rfc3164%... > and > rule=Port=%port%number%... > > and the process will combine the two while building the tree, like > this: > <%PRI:PRI%>%date:date-rfc3164%... rule=Port=%port%number%... > > And now that I wrote this, it's probably something to implement very > soon, > because it is pretty simple ;) Boils down to string concatenation.
Said and done - I pushed the rsyslog work away, as this is more useful. You can now pull from git, the rule base (sample db) format has changed. You can now specify a common prefix, as I said. Sample: prefix=:%date:date-rfc3164% %host:word% %seqnum:number%: %othseq:char-to:\x3a%: %%%tag:char-to:\x3a%: rule=: Configured from console by %tty:word:% (%ip:ipv4%) rule=: Authentication failure for %proto:word% req from host %ip:ipv4% rule=: Interface %interface:char-to:,%, changed state to %state:word% rule=: Line protocol on Interface %interface:char-to:,%, changed state to %state:word% rule=: Attempted to connect to %servname:word% from %ip:ipv4% This is also much easier to read. Note that the first space is part of the sample. I did this to keep consistent with how rsyslog treats things in regard to RFC3164. But you could also move it to the common prefix. I'll probably add also an "prefixextend" command so that a single ruleset could also handle that. Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
