Hello Rainer,
Thanks for your answer.
We are not using rsyslog windows agent actually and we won't.
We received regular syslog datagram in UDP packets.
Our field "msg" is like that :
672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: DC1$
Supplied Realm Name: DOMAIN1.LOCAL User ID:
%{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: krbtgt
Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} Ticket Options:
0x40810010 Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication Type:
2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate Serial Number:
Certificate Thumbprint:
Is there another way to split this message field in N fields ?
Regards,
Mathieu
-----Message d'origine-----
De : [email protected]
[mailto:[email protected]] De la part de Rainer Gerhards
Envoyé : jeudi 29 novembre 2012 10:04
À : rsyslog-users
Objet : Re: [rsyslog] Templates sub matching regex
> -----Original Message-----
> From: [email protected] [mailto:rsyslog-
> [email protected]] On Behalf Of GUERIN Mathieu
> Sent: Thursday, November 29, 2012 10:03 AM
> To: [email protected]
> Subject: [rsyslog] Templates sub matching regex
>
> Hello everybody,
>
> Actually, I am using rsyslog to collect windows events and I would
> like to know if is it possible to capture and reuse the sub matching
> regular expression ?
>
> I have wrote some templates to record the events in a data base. But,
> I am forced to use expressions likes : %msg:F,58:2%. That not enough
> to split the field.
> My aim is to use regular expression to explode the "msg" field in N
> fields and use them.
The rsyslog windows agent can emit data in CEE format. You can than simply use
mmjsonparse to get hold of the individual fields.
>
> In this way, I will be able to write a template like :
>
> $template EVT,"insert into table (field1, field2, field3)
> values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch 3>%),SQL
>
This is not possible.
Rainer
> Maybe someone faced this trouble ?
>
> Thanks a lot for your help.
> Mathieu.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
