On 05/13/2014 07:02 PM, Rainer Gerhards wrote:
On Tue, May 13, 2014 at 3:32 PM, Rune Elvemo <[email protected]> wrote:
On 05/13/2014 01:03 PM, Rainer Gerhards wrote:
On Tue, May 13, 2014 at 12:29 PM, Rune Elvemo <[email protected]> wrote:
I want to filter out log data from postfix using mmnormalize.
I have two template lines:
$template postfrom, "postfix, mail id: '%mailid%', from: '%address%',
recipients: '%recipients%'\n"
$template postto, "postfix, mail id: '%mailid%', to: '%address%', status:
'%status%'\n"
the property names are invalid. Please see the doc:
http://www.rsyslog.com/doc/mmnormalize.html
They must start with $!
HTH
Rainer
Now mailid, etc., starts with $!. The problem is that I end up with empty
values. Like I said,
the filter is supposed to be correct.
This is the format of a log line:
May 13 15:23:51 bp-mta06 postfix/qmgr[10463]: A2C8C10019E: from=<
[email protected]>, size=344, nrcpt=1 (queue active)
IS this the message format on the wire or (after processing!) in a log file?
To debug, add
*-* /var/log/prop_debug;RSYSLOG_DebugFormat
to the top of rsyslog.conf and send us a sample of such a message. Note
that this format emits multiple lines per message with a blank line
delimiting the messages.
Rainer
Debug line with all properties:
FROMHOST: 'mta06.bitpro.no', fromhost-ip: '78.41.126.5', HOSTNAME: 'bp-mta06',
PRI: 22,
syslogtag 'postfix/qmgr[10463]:', programname: 'postfix', APP-NAME: 'postfix',
PROCID: '10463', MSGID: '-',
TIMESTAMP: 'May 16 11:21:27', STRUCTURED-DATA: '-',
msg: ' 6D20C10019E: from=<[email protected]>, size=344, nrcpt=1 (queue
active)'
escaped msg: ' 6D20C10019E: from=<[email protected]>, size=344, nrcpt=1
(queue active)'
inputname: imudp rawmsg: '<22>May 16 11:21:27 bp-mta06 postfix/qmgr[10463]:
6D20C10019E: from=<[email protected]>, size=344, nrcpt=1 (queue active)'
$!:
$.:
$/
Will the filter be applied to the 'msg:' line? I need / want all the data that
is available in mail.log (the log line showed earlier).
Thanks.
Thanks.
When rsyslog tries to parse it on startup I get an error: PROP_INVALID
for
name 'mailid'
I have specified a rulebase file (above the template) :
$mmnormalizeRuleBase /rsyslog/rulebase.rb
The rules I use:
prefix=%date:date-rfc3164% %hostname:word%
rule=from: postfix/qmgr[%notused:number%]: %mailid:word%
from=<%address:char-to:>%>, size=%notused2:word%
nrcpt=%recipients:number%
%notused3:char-to:)%)
rule=to: postfix/local[%notused:number%]: %mailid:word%
to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word%
delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word%
status=%status:word% %2notused3:char-to:)%)
When I use 'lognormalizer' on a mail.log file using those filters:
[cee@115 event.tags="to" 2notused3="(delivered to mailbox" status="sent"
notused6="2.0.0\," notused5="0.09/0/0/0.03\," notused4="0.12\,"
notused3="local\," notused2="<root>\," address="[email protected]"
mailid="1F11110019E:" notused="10593" hostname="bp-mta06" date="May 13
11:09:01"]
[cee@115 event.tags="from" notused3="(queue active" recipients="1"
notused2="1734\," address="[email protected]" mailid="1F11110019E:"
notused="10463" hostname="bp-mta06" date="May 13 11:09:01"]
So the filters should work.
Anyone who can help?
Thanks.
--
Yours sincerely,
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
--
Med vennlig hilsen
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
--
Med vennlig hilsen
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
