Hello, Does anyone have any suggestions how to solve this issue?
Thanks, Jose From: [email protected] [mailto:[email protected]] On Behalf Of Castillo, Jose Contractor Sent: Wednesday, September 18, 2013 3:42 PM To: lognorm Subject: Re: [Lognorm] liblognorm rules Thanks, but it didn't work adding a space to the end. It works if I use only the first rule: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" It doesn't work if the next two rules are defined: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" "rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% on console" I think it's trying to match the second rule because "console" matches %cisco.user:word% and then is trying to match next characters, but I don't know why is not matching the first rule. Any additional advice? Thanks, Jose -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of cclark Sent: Wednesday, September 18, 2013 3:06 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Lognorm] liblognorm rules I've seen this happen before with Cisco devices. Try this: In your rule, add a white space to the end. So instead of this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console" Try this: "rule=: %%SYS-5-CONFIG_I: Configured from console by console " Note the space at the end. On Wed, 18 Sep 2013 12:16:57 -0400, Castillo, Jose Contractor wrote: > Hello, > > I'm testing rsyslog/liblognorm trying to parse syslog messages from > cisco devices, but in some cases liblognorm is not matching syslog > messages with corresponding rules. > > Please see next information and let me know if something is wrong. > > > ====================================================================== > ============================= > > # cat test.rulebase > prefix=%date:date-rfc3164% > rule=: %%SYS-5-CONFIG_I: Configured from console by console > rule=: %%SYS-5-CONFIG_I: Configured from console by vty%-:number% > (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on vty%-:number% (%cisco.ip:ipv4%) > rule=: %%SYS-5-CONFIG_I: Configured from console by %cisco.user:word% > on console > > # lognormalizer -r test.rulebase > Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from console by console > [cee@115 originalmsg="Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured > from console by console" unparsed-data=""] Sep 18 13:09:02: > %SYS-5-CONFIG_I: Configured from console by vty0 > (192.168.1.1) > [cee@115 cisco.ip="192.168.1.1" date="Sep 18 13:09:02:"] Sep 18 > 13:15:29: %SYS-5-CONFIG_I: Configured from console by user1 on > vty0 (192.168.1.2) > [cee@115 cisco.ip="192.168.1.2" cisco.user="user1" date="Sep 18 > 13:15:29:"] Sep 18 13:29:28: %SYS-5-CONFIG_I: Configured from console > by user2 on console > [cee@115 cisco.user="user2" date="Sep 18 13:29:28:"] > > ====================================================================== > =================================== > > > The first message ("_Sep 18 13:06:18: %SYS-5-CONFIG_I: Configured from > console by console__"_) is not being parsed correctly. > > Output from lognormalizer in verbose mode: > > I'm working on a CentOS 6.4 virtual machine, and next packages have > been installed: > > rsyslog-mmjsonparse-7.4.4-2.el6.x86_64 > rsyslog-debuginfo-7.4.4-2.el6.x86_64 > rsyslog-mysql-7.4.4-2.el6.x86_64 > rsyslog-elasticsearch-7.4.4-2.el6.x86_64 > rsyslog-udpspoof-7.4.4-2.el6.x86_64 > rsyslog-7.4.4-2.el6.x86_64 > rsyslog-mmnormalize-7.4.4-2.el6.x86_64 > > Jose Castillo > MicroTech ESS Contract > Phone (410) 597-0194 > OTSO/DNE/NMB/NMST > [email protected]<mailto:[email protected]> [1] > > > > Links: > ------ > [1] mailto:[email protected] -- -- - Champ Clark III Quadrant Information Security [http://quadrantsec.com] o: 904.296.9100 x101 o: 800.539.9357 x101 _______________________________________________ Lognorm mailing list [email protected]<mailto:[email protected]> http://lists.adiscon.net/mailman/listinfo/lognorm
_______________________________________________ Lognorm mailing list [email protected] http://lists.adiscon.net/mailman/listinfo/lognorm
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
