Hi Rune, I only have veeeery little experience with mmnormalize, so maybe others can help you more here.
>From what I know, mmnormalize helps you parse your logs into rsyslog variables. Templates, on the other hand, let you use those variables (and the ones you get for free with syslog, such as severity) into however you want your messages to look like (an insert statement). >From this I have two comments: - there should be no required link between the number of rules you have and the number of templates. You can have N types of logs, parsed by N rules, and only have 1 template to format your messages, or the other way around (use N templates for N different destinations, for a single type of message) - maybe it would help you if you'd upgrade to rsyslog 8.x. Not sure if you already did that, but it should help because you have a much changed mmnormalize module, using liblognorm v 1.0. Pavel also wrote some nice docs of it here: http://rsyslog.github.io/liblognorm/doc/_build/html/ Best regards, Radu 2014-02-14 12:34 GMT+02:00 Rune Elvemo <[email protected]>: > First: I have problem with a rule for a log line from postfix > An example of a log line: > Feb 12 10:39:01 bp-mta06 postfix/local[4369]: 8ACC51001F0: > to=<[email protected]>, orig_to=<root>, relay=local, delay=0.06, > delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox) > > This is the filter I've written, but it doesn't work: > prefix=%date:date-rfc3164% %hostname:word% > > rule=to: postfix/local[%notused:number%]: %mailid:char-to:\x3a%: > to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word% > delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word% > status=%status:word% %2notused3:char-to:)%) > > What is causing the problem is this: '%mailid:char-to:\x3a%:' > If I replace it with ''%mailid:word%' I get all the fields I want, but I do > not want the ':' in the mailid field. > > Second: > The log data will be stored in a mysql database, with multiple tables (mail, > router, etc.). > > In order to do that I need several templates with different insert > statements. One for each table. > > I've looked at this page: > http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/, > and it has one rule without a name, and a single $template line. > > It seems like there is no 'rule' option (man page rsyslog.conf(5)) for a > '$template' line. Is this correct? If so, how am I going to use several > insert > statements? > > Thanks. > > -- > > Med vennlig hilsen > Rune Elvemo > > BITPRO > > BITPRO AS > Sjølystveien 27 > 4610 Kristiansand, Norway > > Phone: +47 47 91 71 00 > Fax: +47 47 91 71 01 > E-mail: [email protected] > Web: www.bitpro.no > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
