> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of GUERIN Mathieu > Sent: Thursday, November 29, 2012 3:48 PM > To: rsyslog-users > Subject: Re: [rsyslog] Templates sub matching regex > > We will investigate about the parser module. It's not a trivial things > to develop a syslog module !
Well, I always wonder why large organizations take so much effort just trying to avoid providing some minimal funding to the rsyslog project ;) We usually can write parser modules for 500 euros: http://www.rsyslog.com/professional-services/custom-development/ Not knowing the exact details, I'd guess this is the same here (but may not, depending on how much backtracking is required... well one can do that with regexes, but that really sucks). > Actually, we have already develop our parser in Perl and we are able to > import the exported file in our DB. > But it is too far from the near-realtime :) Jup, that's why a scripting language makes no sense in this context. Rainer > > Never mind, thank you very much for your quick and useful answers ! > I did really appreciate your help. > > Regards, > Mathieu > > > -----Message d'origine----- > De : [email protected] [mailto:rsyslog- > [email protected]] De la part de Rainer Gerhards > Envoyé : jeudi 29 novembre 2012 15:15 > À : rsyslog-users > Objet : Re: [rsyslog] Templates sub matching regex > > > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of David Lang > > Sent: Thursday, November 29, 2012 2:58 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] Templates sub matching regex > > > > On Thu, 29 Nov 2012, GUERIN Mathieu wrote: > > > > > > > > Did you plan to develop (in your roadmap) a module to interface an > > home-made parsing script ? Then, everybody will be able to develop > > their own parser and implement it to do want they want. > > > > That's what mmnormalize is. It lets you define your own parser for > > your log files. > > He elaborated on this in a previous mail. He need regexes because he > has this dumb format to deal with. Regexes will never be supported as > they are contrary to the lognorm idea (too slow for near-relatime > normalization). So a parser module would be a good choice. I just > didn't mention it as I didn't think he would be willing to invest the > time. > > Rainer > > > > David Lang > > > > > So, we will be able to record the log fine-grained in a database, a > > file or everything else. > > > > > > I really appreciate your help. Thanks very much. > > > Regards, > > > Mathieu > > > > > > > > > -----Message d'origine----- > > > De : [email protected] [mailto:rsyslog- > > [email protected]] De la part de Radu Gheorghe > > > Envoyé : jeudi 29 novembre 2012 13:32 À : rsyslog-users Objet : Re: > > > [rsyslog] Templates sub matching regex > > > > > > Hi, > > > > > > You can try with mmnormalize: > > > http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/ > > > > > > Best regards, > > > Radu > > > > > > > > > 2012/11/29 GUERIN Mathieu <[email protected]> > > > > > >> Hello Rainer, > > >> > > >> Thanks for your answer. > > >> > > >> We are not using rsyslog windows agent actually and we won't. > > >> We received regular syslog datagram in UDP packets. > > >> > > >> Our field "msg" is like that : > > >> 672: NT AUTHORITY\SYSTEM: Authentication Ticket Request: User > Name: > > >> DC1$ Supplied Realm Name: DOMAIN1.LOCAL User ID: > > >> %{S-1-1-21-2174394605-2473340430-154362123253-1205} Service Name: > > >> krbtgt Service ID: %{S-1-5-23-2174876605-247765430-1543628353-592} > > Ticket Options: > > >> 0x40810010 Result Code: - Ticket Encryption Type: 0x17 > > >> Pre-Authentication > > >> Type: 2 Client Address: 1.1.1.1 Certificate Issuer Name: > > >> Certificate Serial > > >> Number: Certificate Thumbprint: > > >> > > >> Is there another way to split this message field in N fields ? > > >> Regards, > > >> Mathieu > > >> > > >> -----Message d'origine----- > > >> De : [email protected] [mailto: > > >> [email protected]] De la part de Rainer Gerhards > > >> Envoyé : jeudi 29 novembre 2012 10:04 À : rsyslog-users Objet : > Re: > > >> [rsyslog] Templates sub matching regex > > >> > > >>> -----Original Message----- > > >>> From: [email protected] [mailto:rsyslog- > > >>> [email protected]] On Behalf Of GUERIN Mathieu > > >>> Sent: Thursday, November 29, 2012 10:03 AM > > >>> To: [email protected] > > >>> Subject: [rsyslog] Templates sub matching regex > > >>> > > >>> Hello everybody, > > >>> > > >>> Actually, I am using rsyslog to collect windows events and I > would > > >>> like to know if is it possible to capture and reuse the sub > > matching > > >>> regular expression ? > > >>> > > >>> I have wrote some templates to record the events in a data base. > > >>> But, I am forced to use expressions likes : %msg:F,58:2%. That > not > > >>> enough to split the field. > > >>> My aim is to use regular expression to explode the "msg" field in > > >>> N fields and use them. > > >> > > >> The rsyslog windows agent can emit data in CEE format. You can > than > > >> simply use mmjsonparse to get hold of the individual fields. > > >>> > > >>> In this way, I will be able to write a template like : > > >>> > > >>> $template EVT,"insert into table (field1, field2, > field3) > > >>> values (%msg <Submatch 1>%,%msg <Submatch 2>%,%msg <Submatch > > >>> 3>%),SQL > > >>> > > >> This is not possible. > > >> > > >> Rainer > > >>> Maybe someone faced this trouble ? > > >>> > > >>> Thanks a lot for your help. > > >>> Mathieu. > > >>> > > >>> _______________________________________________ > > >>> rsyslog mailing list > > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >>> http://www.rsyslog.com/professional-services/ > > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > >>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > >>> POST if you DON'T LIKE THAT. > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: > > >> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites > > >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T > > >> LIKE THAT. > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > of > > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > >> DON'T LIKE THAT. > > >> > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > if you DON'T LIKE THAT. > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
