Hi!
I'm trying split logs from Cisco and learn how to use new config style.
I'm using rsyslog-7.2.2.
So... Cisco logs have such structure for: xxxx %ASA-d-eeefff: yyyyyy
Where xxxx and yyyy are meaningless strings (in context of spliting
logs). "d", "eee",fff" represents digits in message.
Example:
0.0.0.0 : %ASA-4-400014: IDS:2004 .....
I'm interested to split files in such way:
if d==0 or d==1 or d==2 or d==3 then
if eee==109 or eee=113 then
/var/log/asa-auth-err.log
elif eee==316 or eee=320 then
/var/log/asa-vpn-err.log
[... more similar comparisions...]
if d>=4 then
if eee==109 or eee=113 then
/var/log/asa-auth-info.log
elif eee==316 or eee=320 then
/var/log/asa-vpn-info.log
[... more similar comparisions...]
I think I should use dynafile templates, regexp but I don't know how to
change occurence of string e.g. 109 or 113 to string "auth".
e.g $template cisco_err_tmpl,"/var/log/asa-%msg:R,ERE,2,FIELD:(.*\ \:\
\%ASA-[0-9]-)(109|113)--end%-err.log"
will create two files /var/log/asa-109-err.log and
/var/log/asa-113-err.log instead one /var/log/asa-auth-err.log
Second thing is using "if" with regexp, I wrote:
if $fromhost-ip == '192.168.0.254' and %msg:R,ERE,2,FIELD:(.*\ \:\
\%ASA-)([0-9]{1})(-)--end% contains '0' or %msg:....--end% contains '1'
etc....
But this is not correct syntax.
Could you give me some advices how should I write it?
Thanks,
Marcin
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
