Hi Marcin, > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Marcin Miroslaw > Sent: Thursday, November 22, 2012 3:28 PM > To: rsyslog-users > Subject: [rsyslog] Splitting and filtering Cisco logs > > Hi! > I'm trying split logs from Cisco and learn how to use new config style. > I'm using rsyslog-7.2.2. > So... Cisco logs have such structure for: xxxx %ASA-d-eeefff: yyyyyy > Where xxxx and yyyy are meaningless strings (in context of spliting > logs). "d", "eee",fff" represents digits in message. > Example: > 0.0.0.0 : %ASA-4-400014: IDS:2004 ..... > I'm interested to split files in such way: > > if d==0 or d==1 or d==2 or d==3 then > if eee==109 or eee=113 then > /var/log/asa-auth-err.log > elif eee==316 or eee=320 then > /var/log/asa-vpn-err.log > [... more similar comparisions...] > > if d>=4 then > if eee==109 or eee=113 then > /var/log/asa-auth-info.log > elif eee==316 or eee=320 then > /var/log/asa-vpn-info.log > [... more similar comparisions...] > > I think I should use dynafile templates, regexp but I don't know how to > change occurence of string e.g. 109 or 113 to string "auth". > e.g $template cisco_err_tmpl,"/var/log/asa-%msg:R,ERE,2,FIELD:(.*\ \:\ > \%ASA-[0-9]-)(109|113)--end%-err.log" > will create two files /var/log/asa-109-err.log and > /var/log/asa-113-err.log instead one /var/log/asa-auth-err.log > > Second thing is using "if" with regexp, I wrote: > if $fromhost-ip == '192.168.0.254' and %msg:R,ERE,2,FIELD:(.*\ \:\ > \%ASA-)([0-9]{1})(-)--end% contains '0' or %msg:....--end% contains '1' > etc.... > > But this is not correct syntax.
I think you should tackle that beast from a different angle. Regex is NOT the way to go here. Mmnormalize is - that's *the* use case for that module. Just yesterday I have posted the relevant links to the mailing list (in reply to a similar question). Please have a look at the archive, I don't want to dig them out again (also, Google is good at finding them). There are probably already rulebases for Cisco Messges (Champ, are you listening?). So I would suggest to first familiarize with mmnormalize. Then, we can look into how to craft the new-style config. Please let us know where you run into troubles. I'll see if I can craft up some better doc if there is need for it (I bet so ;)). Rainer > > Could you give me some advices how should I write it? > Thanks, > Marcin > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
