Hello, Is this currently possible? Or would it be a good candidate for an enhancement in bugzilla? Maybe it will get sponsored or done in time.
2013/10/3 Radu Gheorghe <[email protected]> > Hello and excuse my necromancy, > > I'm having the same problem here and I've tried to escape the newline with > something like this: > > %message:char-to:x0a% > > And I still can't get the messages parsed. Any ideas on how to parse Java > logs with a rule like? Something in the lines of: > > rule:= %time:word% %thread:word% %severity:word% %class:word% - > %message:here-would-be-the-free-text-until-the-end-of-the-line > > Ideally, I'd read these messages with imfile and ReadMode="1", and parse > stacktraces nicely as well. But that would be a different milestone :) > > Best regards, > Radu > > 2013/5/30 David Lang <[email protected]> > >> On Tue, 28 May 2013, [email protected] wrote: >> >> Hello list! >>> >>> [This message is in response to http://lists.adiscon.net/** >>> pipermail/rsyslog/2013-March/**032011.html<http://lists.adiscon.net/pipermail/rsyslog/2013-March/032011.html>. >>> I hope the "in-reply-to" header is taken over from the mailto-url to >>> Outlook.] >>> >>> >>> I am searching for the same (or similar) thing. Neither lognorm nor >>> rsyslog's property-replacer options allow me to extract a string "from a >>> certain field till the end". In my case messages are of the form >>> >>> May 28 17:46:45: [0001]: %SNMP-6-INFO: authenticationFailure >>> notification sent to 10.11.12.13:123 >>> >>> (yes, the date is also part of the message, so in the raw message the >>> date can be found twice). >>> >>> The %SNMP-6-INFO part varies and could as well be %AAA-6-INFO or other >>> strings, so a simple %msg:40:$% won't do the trick. Also the field-based >>> extraction won't help because there is no such thing as %msg:F,58:6-% >>> (which ideally would output the 6th and all subsequent fields separated by >>> a ":", similar to the unix cut command). >>> >>> So I'm struggling to get such a seemingly easy task as "everything from >>> there till the end" configured in rsyslog. Is there really no way other >>> than (resource hungry) regular expressions? >>> >> >> hmm, there is the 'from here to character X' option, what if you make >> character X be a newline? >> >> David Lang >> >> >> >> Thanks and best regards, >>> Alex >>> >>> PS: There is something quite odd in the lognorm help. In chapter >>> "Rulebase" there is an expression "%INBOUND:char-to:-\x3a". My >>> understanding is that for char-to the additional information field must be >>> a single char, but here it is "-\x3a", i.e. two chars (dash and colon). >>> >>> PPS: Also, the help text for char-to is quite misleading, stating "the >>> field will be defined by the sign in the additional information" while it >>> should probably be more something akin to "the field will be defined by >>> everything until, but excluding, the sign in the additional information". >>> >>> >>> >>> Unfortunately, I can't match only part of a string with liblognorm so I >>>> must match everything ... except that everything after the "05 :" part is >>>> not matchable. >>>> Ideally, this would be double quoted and thus, I could use the >>>> quoted-string identifier but unfortunately, this is not the case. >>>> >>>> >>>> Is there a way to do something like "char-to" which can take the whole >>>> string until the end of the line ? >>>> I tried something like this : %message:char-to:A% but it doesn't work :( >>>> >>> ______________________________**_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
