On Sat, Sep 14, 2013 at 3:09 AM, David Lang <[email protected]> wrote: > #011 is an escaped tab, if you replace #011 with a column separator, > everthing should work > > you can also simply use "#011" together with field-based extraction. Have a look at this presentation (slide 23+):
http://www.slideshare.net/rainergerhards1/rsyslog-log-normalization That's the exact snare scenario. It helps if you read the whole slide deck ;) Rainer > you can run them through sed s/"#011"/"\t"/g to put tabs back (replace \t > with whatever character you are looking for) > > what format do you want the columns in? what are you doing with them? > > another option is that you can use mmnormalize to parse these and assign > each chunk to a variable with the correct name. This should just be a > single rule, I don't know when I would have time to look at this, but I'll > add it to my (lengthy) to-do list. > > David Lang > > > > On Fri, 13 Sep 2013, Willen Borges Coelho wrote: > > I use Nxlog-ce in our Windows servers, and he sent the logs to a server >> on port 514/udp Rsyslog. >> >> Still in nxlog-ce use one flag to_syslog_snare (); to convert from >> EventsLog Windows to syslog Linux. >> >> I would like to retrieve the information in rsyslog that get together and >> put them all in their respective columns, for example: >> >> Sep 13 20:31:23 2013#0115156#011Microsoft-**Windows-Security-Auditing#** >> 011N/A#011N/A#011AUDIT_**SUCCESS#011server.localdomain.**corpMore >> Information#011Filtering Platform Connection#011#011The Windows Filtering >> Platform has permitted a connection. Application Information: Process ID: 4 >> Application Name: System Network Information: Direction: Inbound Source >> Address: 192.168.1.5More Information Source Port: 139 Destination Address: >> 192.168.125.19More Information {user.dhcp.s17.localdomain.**corpMore >> Information} Destination Port: 139 Protocol: 17 Filter Information: Filter >> Run-Time ID: 65766 Layer Name: Receive/Accept Layer Run-Time ID: 44#011N/A >> >> The fields and values ??are joined by #011. >> >> >> This information is saved in DB Postgresql, in the table SystemEvents. >> >> Many Windows server information is lost because we cannot rank them, >> because they are not in separate columns. >> >> Can anyone help? >> >> Regards, >> >> Willen Borges Coelho >> Analista de Tecnologia da Informa??o >> Coordenadoria de Tecnologia da Informa??o >> Ifes - Instituto Federal de Educa??o, Ci?ncia e Tecnologia do Esp?rito >> Santo >> >> Campus Cachoeiro de Itapemirim >> (28) 3526-9027 >> "Homens superficiais acreditam em sorte; >> homens s?bios e fortes acreditam em causa e efeito." >> (Ralph Waldo Emerson) >> >> >> ______________________________**__ >> >> Esta mensagem (incluindo anexos) cont?m informa??o confidencial destinada >> a um usu?rio espec?fico e seu conte?do ? protegido por lei. Se voc? n?o ? o >> destinat?rio correto deve apagar esta mensagem. >> >> O emitente desta mensagem ? respons?vel por seu conte?do e endere?amento. >> Cabe ao destinat?rio cuidar quanto ao tratamento adequado. A divulga??o, >> reprodu??o e/ou distribui??o sem a devida autoriza??o ou qualquer outra >> a??o sem conformidade com as normas internas do Ifes s?o proibidas e >> pass?veis de san??o disciplinar, c?vel e criminal. >> >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
