On Tue, May 13, 2014 at 3:32 PM, Rune Elvemo <[email protected]> wrote:
> > On 05/13/2014 01:03 PM, Rainer Gerhards wrote: > >> On Tue, May 13, 2014 at 12:29 PM, Rune Elvemo <[email protected]> wrote: >> >> I want to filter out log data from postfix using mmnormalize. >>> I have two template lines: >>> >>> $template postfrom, "postfix, mail id: '%mailid%', from: '%address%', >>> recipients: '%recipients%'\n" >>> $template postto, "postfix, mail id: '%mailid%', to: '%address%', status: >>> '%status%'\n" >>> >>> >>> the property names are invalid. Please see the doc: >> >> http://www.rsyslog.com/doc/mmnormalize.html >> >> They must start with $! >> >> HTH >> Rainer >> > > Now mailid, etc., starts with $!. The problem is that I end up with empty > values. Like I said, > the filter is supposed to be correct. > > This is the format of a log line: > May 13 15:23:51 bp-mta06 postfix/qmgr[10463]: A2C8C10019E: from=< > [email protected]>, size=344, nrcpt=1 (queue active) > > IS this the message format on the wire or (after processing!) in a log file? To debug, add *-* /var/log/prop_debug;RSYSLOG_DebugFormat to the top of rsyslog.conf and send us a sample of such a message. Note that this format emits multiple lines per message with a blank line delimiting the messages. Rainer > Thanks. > > > >> When rsyslog tries to parse it on startup I get an error: PROP_INVALID >>> for >>> name 'mailid' >>> >>> I have specified a rulebase file (above the template) : >>> $mmnormalizeRuleBase /rsyslog/rulebase.rb >>> >>> The rules I use: >>> >>> prefix=%date:date-rfc3164% %hostname:word% >>> rule=from: postfix/qmgr[%notused:number%]: %mailid:word% >>> from=<%address:char-to:>%>, size=%notused2:word% >>> nrcpt=%recipients:number% >>> %notused3:char-to:)%) >>> rule=to: postfix/local[%notused:number%]: %mailid:word% >>> to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word% >>> delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word% >>> status=%status:word% %2notused3:char-to:)%) >>> >>> When I use 'lognormalizer' on a mail.log file using those filters: >>> [cee@115 event.tags="to" 2notused3="(delivered to mailbox" status="sent" >>> notused6="2.0.0\," notused5="0.09/0/0/0.03\," notused4="0.12\," >>> notused3="local\," notused2="<root>\," address="[email protected]" >>> mailid="1F11110019E:" notused="10593" hostname="bp-mta06" date="May 13 >>> 11:09:01"] >>> [cee@115 event.tags="from" notused3="(queue active" recipients="1" >>> notused2="1734\," address="[email protected]" mailid="1F11110019E:" >>> notused="10463" hostname="bp-mta06" date="May 13 11:09:01"] >>> >>> So the filters should work. >>> >>> Anyone who can help? >>> >>> Thanks. >>> >>> >>> -- >>> >>> Yours sincerely, >>> Rune Elvemo >>> >>> BITPRO >>> >>> BITPRO AS >>> Sjølystveien 27 >>> 4610 Kristiansand, Norway >>> >>> Phone: +47 47 91 71 00 >>> Fax: +47 47 91 71 01 >>> E-mail: [email protected] >>> Web: www.bitpro.no >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > -- > > Med vennlig hilsen > > Rune Elvemo > > BITPRO > > BITPRO AS > Sjølystveien 27 > 4610 Kristiansand, Norway > > Phone: +47 47 91 71 00 > Fax: +47 47 91 71 01 > E-mail: [email protected] > Web: www.bitpro.no > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
