[rsyslog] mmnormalize and iptable logs

Tue, 16 Jul 2013 14:53:53 -0700 

I am trying my first attempts at using mmnormalize.

My goal is to parse out my iptable firewall logs into a cee format so I can
then send them to elasticsearch.

But so far my logs just show unparsed items.  Can anyone shed any light to
where I am going wrong here.

Relevant sections from rsyslog.conf

module(load="mmnormalize")
action(type="mmnormalize" UseRawMsg="off"
ruleBase="/etc/rsyslog.d/normalize.rb")

module(load="mmjsonparse")


#template(name="cee" type="string" string="%$!all-json%\n")
template(name="cee" type="string" string="%$!%\n")

*.*                             { action (name="cee" type="omfile"
Template="cee" file="/var/log/cee.log") }

I have also tried a couple variations of this but they still don't match

normalize.rb
rule=: %kerntime:word% Denied: IN=%in:word% OUT= MAC=%mac:word%
SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%len:number% TOS=%tos:word%
PREC=%prec:word% TTL=%ttl:number% ID=%id:number% %DF:word%
PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number%
WINDOW=%window:number% RES=%res:word% %pkt-type:word% URGP=%urgp:number%

I also tried to use the iptales type, but I am not able to find many docs
on its usage.

rule=: %kerntime:word% Denied: %iptables:iptables%


Sample log line:

[1084540.211910] Denied: IN=eth0 OUT=
MAC=00:30:48:90:cc:a6:00:30:48:da:48:e8:08:00 SRC=10.10.10.10
DST=10.10.10.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=28843 DF PROTO=TCP
SPT=44075 DPT=444 WINDOW=14600 RES=0x00 SYN URGP=0


This is what I see in my cee logfile and it shows unpared-data.

# { "originalmsg": "[1084540.211910] Denied: IN=eth0 OUT=
MAC=00:30:48:90:cc:a6:00:30:48:da:48:e8:08:00 SRC=10.10.10.10
DST=10.10.10.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=28843 DF PROTO=TCP
SPT=44075 DPT=444 WINDOW=14600 RES=0x00 SYN URGP=0 ", "unparsed-data":
"[1084540.211910] Denied: IN=eth0 OUT=
MAC=00:30:48:90:cc:a6:00:30:48:da:48:e8:08:00 SRC=10.10.10.10
DST=10.10.10.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=28843 DF PROTO=TCP
SPT=44075 DPT=444 WINDOW=14600 RES=0x00 SYN URGP=0 " }
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to