Thanks again for your help.
Unfortunately, that is not fixing our issue. We need to use regular expression
because all the fields are strongly different...
As I explained, our field "msg" is like that :
672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: DC1$
Supplied Realm Name: DOMAIN1.LOCAL User ID:
%{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: krbtgt
Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} Ticket Options:
0x40810010 Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication Type:
2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate Serial Number:
Certificate Thumbprint:
And we want to extract each fields/values to insert into a database. For
example, table evt_672 will have those columns :
User;Message; User Name; Realm Name; User ID;Service Name; Service ID; Ticket
Options;Result Code; Ticket Encryption Type; Pre-Authentication Type; Client
Address; Certificate Issuer Name;Certificate Serial Number; Certificate
Thumbprint
With the appropriates values in each columns :
NT AUTHORITY\SYSTEM;Authentication Ticket Request;; DC1$ ; DOMAIN1.;
%{S-1-1-21-2174394605-2473340430-154362123253-1205} ; krbtgt
;%{S-1-5-23-2174876605-247765430-1543628353-592} ; 0x40810010 ; - ; 0x17 ; 2 ;
1.1.1.;;;
Did you plan to develop (in your roadmap) a module to interface an home-made
parsing script ? Then, everybody will be able to develop their own parser and
implement it to do want they want.
So, we will be able to record the log fine-grained in a database, a file or
everything else.
I really appreciate your help. Thanks very much.
Regards,
Mathieu
-----Message d'origine-----
De : [email protected]
[mailto:[email protected]] De la part de Radu Gheorghe
Envoyé : jeudi 29 novembre 2012 13:32
À : rsyslog-users
Objet : Re: [rsyslog] Templates sub matching regex
Hi,
You can try with mmnormalize:
http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/
Best regards,
Radu
2012/11/29 GUERIN Mathieu <[email protected]>
> Hello Rainer,
>
> Thanks for your answer.
>
> We are not using rsyslog windows agent actually and we won't.
> We received regular syslog datagram in UDP packets.
>
> Our field "msg" is like that :
> 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name:
> DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID:
> %{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name:
> krbtgt Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} Ticket
> Options:
> 0x40810010 Result Code: - Ticket Encryption Type: 0x17
> Pre-Authentication
> Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate
> Serial
> Number: Certificate Thumbprint:
>
> Is there another way to split this message field in N fields ?
> Regards,
> Mathieu
>
> -----Message d'origine-----
> De : [email protected] [mailto:
> [email protected]] De la part de Rainer Gerhards
> Envoyé : jeudi 29 novembre 2012 10:04 À : rsyslog-users Objet : Re:
> [rsyslog] Templates sub matching regex
>
> > -----Original Message-----
> > From: [email protected] [mailto:rsyslog-
> > [email protected]] On Behalf Of GUERIN Mathieu
> > Sent: Thursday, November 29, 2012 10:03 AM
> > To: [email protected]
> > Subject: [rsyslog] Templates sub matching regex
> >
> > Hello everybody,
> >
> > Actually, I am using rsyslog to collect windows events and I would
> > like to know if is it possible to capture and reuse the sub matching
> > regular expression ?
> >
> > I have wrote some templates to record the events in a data base.
> > But, I am forced to use expressions likes : %msg:F,58:2%. That not
> > enough to split the field.
> > My aim is to use regular expression to explode the "msg" field in N
> > fields and use them.
>
> The rsyslog windows agent can emit data in CEE format. You can than
> simply use mmjsonparse to get hold of the individual fields.
> >
> > In this way, I will be able to write a template like :
> >
> > $template EVT,"insert into table (field1, field2, field3)
> > values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch
> > 3>%),SQL
> >
> This is not possible.
>
> Rainer
> > Maybe someone faced this trouble ?
> >
> > Thanks a lot for your help.
> > Mathieu.
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
