> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of GUERIN Mathieu > Sent: Thursday, November 29, 2012 2:42 PM > To: rsyslog-users > Subject: Re: [rsyslog] Templates sub matching regex > > Thanks again for your help. > > Unfortunately, that is not fixing our issue. We need to use regular > expression because all the fields are strongly different... > As I explained, our field "msg" is like that : > > 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: > DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID: %{S-1-1-21-2174394605- > 2473340430-154362123253-1205} Service Name: krbtgt Service ID: %{S-1-5- > 23-2174876605-247765430-1543628353-592} Ticket Options: 0x40810010 > Result Code: - Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 > Client Address: 1.1.1.1 Certificate Issuer Name: Certificate Serial > Number: Certificate Thumbprint: > > And we want to extract each fields/values to insert into a database. > For example, table evt_672 will have those columns : > > User;Message; User Name; Realm Name; User ID;Service Name; Service ID; > Ticket Options;Result Code; Ticket Encryption Type; Pre-Authentication > Type; Client Address; Certificate Issuer Name;Certificate Serial > Number; Certificate Thumbprint > > With the appropriates values in each columns : > > NT AUTHORITY\SYSTEM;Authentication Ticket Request;; DC1$ ; DOMAIN1.; > %{S-1-1-21-2174394605-2473340430-154362123253-1205} ; krbtgt ;%{S-1-5- > 23-2174876605-247765430-1543628353-592} ; 0x40810010 ; - ; 0x17 ; 2 ; > 1.1.1.;;; > > Did you plan to develop (in your roadmap) a module to interface an > home-made parsing script ? Then, everybody will be able to develop > their own parser and implement it to do want they want.
Jupp, that's available for some years now. All you need to do is write a parser module. Rainer > So, we will be able to record the log fine-grained in a database, a > file or everything else. > > I really appreciate your help. Thanks very much. > Regards, > Mathieu > > > -----Message d'origine----- > De : [email protected] [mailto:rsyslog- > [email protected]] De la part de Radu Gheorghe > Envoyé : jeudi 29 novembre 2012 13:32 > À : rsyslog-users > Objet : Re: [rsyslog] Templates sub matching regex > > Hi, > > You can try with mmnormalize: > http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/ > > Best regards, > Radu > > > 2012/11/29 GUERIN Mathieu <[email protected]> > > > Hello Rainer, > > > > Thanks for your answer. > > > > We are not using rsyslog windows agent actually and we won't. > > We received regular syslog datagram in UDP packets. > > > > Our field "msg" is like that : > > 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: > > DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID: > > %{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: > > krbtgt Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} > Ticket Options: > > 0x40810010 Result Code: - Ticket Encryption Type: 0x17 > > Pre-Authentication > > Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate > > Serial > > Number: Certificate Thumbprint: > > > > Is there another way to split this message field in N fields ? > > Regards, > > Mathieu > > > > -----Message d'origine----- > > De : [email protected] [mailto: > > [email protected]] De la part de Rainer Gerhards > > Envoyé : jeudi 29 novembre 2012 10:04 À : rsyslog-users Objet : Re: > > [rsyslog] Templates sub matching regex > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of GUERIN Mathieu > > > Sent: Thursday, November 29, 2012 10:03 AM > > > To: [email protected] > > > Subject: [rsyslog] Templates sub matching regex > > > > > > Hello everybody, > > > > > > Actually, I am using rsyslog to collect windows events and I would > > > like to know if is it possible to capture and reuse the sub > matching > > > regular expression ? > > > > > > I have wrote some templates to record the events in a data base. > > > But, I am forced to use expressions likes : %msg:F,58:2%. That not > > > enough to split the field. > > > My aim is to use regular expression to explode the "msg" field in N > > > fields and use them. > > > > The rsyslog windows agent can emit data in CEE format. You can than > > simply use mmjsonparse to get hold of the individual fields. > > > > > > In this way, I will be able to write a template like : > > > > > > $template EVT,"insert into table (field1, field2, field3) > > > values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch > > > 3>%),SQL > > > > > This is not possible. > > > > Rainer > > > Maybe someone faced this trouble ? > > > > > > Thanks a lot for your help. > > > Mathieu. > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites > > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
