I've run into problems with the version not exactly matching everything else. In
theory it will work, but I don't know where the landmines are.
the pmsnare module only works on the first couple of fields of the message
(timestamp, hostname, and possibly the MSWinEventLog string), everything else it
leaves alone, but it will force escaping, so all tabs will be replaced by #011,
the escaping is fine if you are using external stuff (like perl) to parse the
message, but rsyslog doesn't have multi-character split capability, so it will
make it hard to extract the fields with rsyslog format tricks like the example
you listed does.
David Lang
On Thu, 29 Nov 2012, jdguingao wrote:
Thanks for the help David and Dan. What I am thinking now is to use the
pmsnare module to test if I can extract that field but my installation of
rsyslog does not have it. I use the RPM that the rsyslog team provided in
their website. Is their anyway to upload a module to my existing rsyslog
installation or do I have to compile it from source?
--
View this message in context:
http://rsyslog-rsyslog-users.1305293.n2.nabble.com/Please-help-with-Snare-Format-tp7579234p7579243.html
Sent from the rsyslog -- rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
