On Thu, 29 Nov 2012, GUERIN Mathieu wrote:
Did you plan to develop (in your roadmap) a module to interface an home-made
parsing script ? Then, everybody will be able to develop their own parser and
implement it to do want they want.
That's what mmnormalize is. It lets you define your own parser for your log
files.
David Lang
So, we will be able to record the log fine-grained in a database, a file or
everything else.
I really appreciate your help. Thanks very much.
Regards,
Mathieu
-----Message d'origine-----
De : [email protected]
[mailto:[email protected]] De la part de Radu Gheorghe
Envoyé : jeudi 29 novembre 2012 13:32
À : rsyslog-users
Objet : Re: [rsyslog] Templates sub matching regex
Hi,
You can try with mmnormalize:
http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/
Best regards,
Radu
2012/11/29 GUERIN Mathieu <[email protected]>
Hello Rainer,
Thanks for your answer.
We are not using rsyslog windows agent actually and we won't.
We received regular syslog datagram in UDP packets.
Our field "msg" is like that :
672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name:
DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID:
%{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name:
krbtgt Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} Ticket
Options:
0x40810010 Result Code: - Ticket Encryption Type: 0x17
Pre-Authentication
Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate
Serial
Number: Certificate Thumbprint:
Is there another way to split this message field in N fields ?
Regards,
Mathieu
-----Message d'origine-----
De : [email protected] [mailto:
[email protected]] De la part de Rainer Gerhards
Envoyé : jeudi 29 novembre 2012 10:04 À : rsyslog-users Objet : Re:
[rsyslog] Templates sub matching regex
-----Original Message-----
From: [email protected] [mailto:rsyslog-
[email protected]] On Behalf Of GUERIN Mathieu
Sent: Thursday, November 29, 2012 10:03 AM
To: [email protected]
Subject: [rsyslog] Templates sub matching regex
Hello everybody,
Actually, I am using rsyslog to collect windows events and I would
like to know if is it possible to capture and reuse the sub matching
regular expression ?
I have wrote some templates to record the events in a data base.
But, I am forced to use expressions likes : %msg:F,58:2%. That not
enough to split the field.
My aim is to use regular expression to explode the "msg" field in N
fields and use them.
The rsyslog windows agent can emit data in CEE format. You can than
simply use mmjsonparse to get hold of the individual fields.
In this way, I will be able to write a template like :
$template EVT,"insert into table (field1, field2, field3)
values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch
3>%),SQL
This is not possible.
Rainer
Maybe someone faced this trouble ?
Thanks a lot for your help.
Mathieu.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
