> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of David Lang > Sent: Thursday, November 29, 2012 2:58 PM > To: rsyslog-users > Subject: Re: [rsyslog] Templates sub matching regex > > On Thu, 29 Nov 2012, GUERIN Mathieu wrote: > > > > > Did you plan to develop (in your roadmap) a module to interface an > home-made parsing script ? Then, everybody will be able to develop > their own parser and implement it to do want they want. > > That's what mmnormalize is. It lets you define your own parser for your > log > files.
He elaborated on this in a previous mail. He need regexes because he has this dumb format to deal with. Regexes will never be supported as they are contrary to the lognorm idea (too slow for near-relatime normalization). So a parser module would be a good choice. I just didn't mention it as I didn't think he would be willing to invest the time. Rainer > > David Lang > > > So, we will be able to record the log fine-grained in a database, a > file or everything else. > > > > I really appreciate your help. Thanks very much. > > Regards, > > Mathieu > > > > > > -----Message d'origine----- > > De : [email protected] [mailto:rsyslog- > [email protected]] De la part de Radu Gheorghe > > Envoyé : jeudi 29 novembre 2012 13:32 > > À : rsyslog-users > > Objet : Re: [rsyslog] Templates sub matching regex > > > > Hi, > > > > You can try with mmnormalize: > > http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/ > > > > Best regards, > > Radu > > > > > > 2012/11/29 GUERIN Mathieu <[email protected]> > > > >> Hello Rainer, > >> > >> Thanks for your answer. > >> > >> We are not using rsyslog windows agent actually and we won't. > >> We received regular syslog datagram in UDP packets. > >> > >> Our field "msg" is like that : > >> 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User Name: > >> DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID: > >> %{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: > >> krbtgt Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} > Ticket Options: > >> 0x40810010 Result Code: - Ticket Encryption Type: 0x17 > >> Pre-Authentication > >> Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: Certificate > >> Serial > >> Number: Certificate Thumbprint: > >> > >> Is there another way to split this message field in N fields ? > >> Regards, > >> Mathieu > >> > >> -----Message d'origine----- > >> De : [email protected] [mailto: > >> [email protected]] De la part de Rainer Gerhards > >> Envoyé : jeudi 29 novembre 2012 10:04 À : rsyslog-users Objet : Re: > >> [rsyslog] Templates sub matching regex > >> > >>> -----Original Message----- > >>> From: [email protected] [mailto:rsyslog- > >>> [email protected]] On Behalf Of GUERIN Mathieu > >>> Sent: Thursday, November 29, 2012 10:03 AM > >>> To: [email protected] > >>> Subject: [rsyslog] Templates sub matching regex > >>> > >>> Hello everybody, > >>> > >>> Actually, I am using rsyslog to collect windows events and I would > >>> like to know if is it possible to capture and reuse the sub > matching > >>> regular expression ? > >>> > >>> I have wrote some templates to record the events in a data base. > >>> But, I am forced to use expressions likes : %msg:F,58:2%. That not > >>> enough to split the field. > >>> My aim is to use regular expression to explode the "msg" field in N > >>> fields and use them. > >> > >> The rsyslog windows agent can emit data in CEE format. You can than > >> simply use mmjsonparse to get hold of the individual fields. > >>> > >>> In this way, I will be able to write a template like : > >>> > >>> $template EVT,"insert into table (field1, field2, field3) > >>> values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch > >>> 3>%),SQL > >>> > >> This is not possible. > >> > >> Rainer > >>> Maybe someone faced this trouble ? > >>> > >>> Thanks a lot for your help. > >>> Mathieu. > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > >>> you DON'T LIKE THAT. > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: > >> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites > >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > >> LIKE THAT. > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
