Hi, You can try with mmnormalize: http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/
Best regards, Radu 2012/11/29 GUERIN Mathieu <[email protected]> > Hello Rainer, > > Thanks for your answer. > > We are not using rsyslog windows agent actually and we won't. > We received regular syslog datagram in UDP packets. > > Our field "msg" is like that : > 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: DC1$ > Supplied Realm Name: DOMAIN1.LOCAL User ID: > %{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: krbtgt > Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} Ticket Options: > 0x40810010 Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication > Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate Serial > Number: Certificate Thumbprint: > > Is there another way to split this message field in N fields ? > Regards, > Mathieu > > -----Message d'origine----- > De : [email protected] [mailto: > [email protected]] De la part de Rainer Gerhards > Envoyé : jeudi 29 novembre 2012 10:04 > À : rsyslog-users > Objet : Re: [rsyslog] Templates sub matching regex > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of GUERIN Mathieu > > Sent: Thursday, November 29, 2012 10:03 AM > > To: [email protected] > > Subject: [rsyslog] Templates sub matching regex > > > > Hello everybody, > > > > Actually, I am using rsyslog to collect windows events and I would > > like to know if is it possible to capture and reuse the sub matching > > regular expression ? > > > > I have wrote some templates to record the events in a data base. But, > > I am forced to use expressions likes : %msg:F,58:2%. That not enough > > to split the field. > > My aim is to use regular expression to explode the "msg" field in N > > fields and use them. > > The rsyslog windows agent can emit data in CEE format. You can than simply > use mmjsonparse to get hold of the individual fields. > > > > In this way, I will be able to write a template like : > > > > $template EVT,"insert into table (field1, field2, field3) > > values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch 3>%),SQL > > > This is not possible. > > Rainer > > Maybe someone faced this trouble ? > > > > Thanks a lot for your help. > > Mathieu. > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
