On Fri, 16 May 2014, Rune Elvemo wrote:
On 05/13/2014 07:02 PM, Rainer Gerhards wrote:
On Tue, May 13, 2014 at 3:32 PM, Rune Elvemo <[email protected]> wrote:
On 05/13/2014 01:03 PM, Rainer Gerhards wrote:
On Tue, May 13, 2014 at 12:29 PM, Rune Elvemo <[email protected]> wrote:
I want to filter out log data from postfix using mmnormalize.
I have two template lines:
$template postfrom, "postfix, mail id: '%mailid%', from: '%address%',
recipients: '%recipients%'\n"
$template postto, "postfix, mail id: '%mailid%', to: '%address%',
status:
'%status%'\n"
the property names are invalid. Please see the doc:
http://www.rsyslog.com/doc/mmnormalize.html
They must start with $!
HTH
Rainer
Now mailid, etc., starts with $!. The problem is that I end up with empty
values. Like I said,
the filter is supposed to be correct.
This is the format of a log line:
May 13 15:23:51 bp-mta06 postfix/qmgr[10463]: A2C8C10019E: from=<
[email protected]>, size=344, nrcpt=1 (queue active)
IS this the message format on the wire or (after processing!) in a log
file?
To debug, add
*-* /var/log/prop_debug;RSYSLOG_DebugFormat
to the top of rsyslog.conf and send us a sample of such a message. Note
that this format emits multiple lines per message with a blank line
delimiting the messages.
Rainer
Debug line with all properties:
FROMHOST: 'mta06.bitpro.no', fromhost-ip: '78.41.126.5', HOSTNAME:
'bp-mta06', PRI: 22,
syslogtag 'postfix/qmgr[10463]:', programname: 'postfix', APP-NAME:
'postfix', PROCID: '10463', MSGID: '-',
TIMESTAMP: 'May 16 11:21:27', STRUCTURED-DATA: '-',
msg: ' 6D20C10019E: from=<[email protected]>, size=344, nrcpt=1 (queue
active)'
escaped msg: ' 6D20C10019E: from=<[email protected]>, size=344, nrcpt=1
(queue active)'
inputname: imudp rawmsg: '<22>May 16 11:21:27 bp-mta06 postfix/qmgr[10463]:
6D20C10019E: from=<[email protected]>, size=344, nrcpt=1 (queue active)'
$!:
$.:
$/
Will the filter be applied to the 'msg:' line? I need / want all the data
that is available in mail.log (the log line showed earlier).
a point of terminology here, a filter is used to decide if you are going to
output something or not, it applies to whatever you say it does.
mmnormalize is a parser, by default, it parses the msg: variable and creates
variables from it.
there is an option to have mmnormalize parse the rawmsg instead, and that's what
your rules are setup to deal with.
try trimming your rules down to start with the mailid and I thing that when you
look at the debug format log you will then see a bunch of stuff in the $!
section.
David Lang
Thanks.
Thanks.
When rsyslog tries to parse it on startup I get an error: PROP_INVALID
for
name 'mailid'
I have specified a rulebase file (above the template) :
$mmnormalizeRuleBase /rsyslog/rulebase.rb
The rules I use:
prefix=%date:date-rfc3164% %hostname:word%
rule=from: postfix/qmgr[%notused:number%]: %mailid:word%
from=<%address:char-to:>%>, size=%notused2:word%
nrcpt=%recipients:number%
%notused3:char-to:)%)
rule=to: postfix/local[%notused:number%]: %mailid:word%
to=<%address:char-to:>%>, orig_to=%notused2:word% relay=%notused3:word%
delay=%notused4:word% delays=%notused5:word% dsn=%notused6:word%
status=%status:word% %2notused3:char-to:)%)
When I use 'lognormalizer' on a mail.log file using those filters:
[cee@115 event.tags="to" 2notused3="(delivered to mailbox" status="sent"
notused6="2.0.0\," notused5="0.09/0/0/0.03\," notused4="0.12\,"
notused3="local\," notused2="<root>\," address="[email protected]"
mailid="1F11110019E:" notused="10593" hostname="bp-mta06" date="May 13
11:09:01"]
[cee@115 event.tags="from" notused3="(queue active" recipients="1"
notused2="1734\," address="[email protected]" mailid="1F11110019E:"
notused="10463" hostname="bp-mta06" date="May 13 11:09:01"]
So the filters should work.
Anyone who can help?
Thanks.
--
Yours sincerely,
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
--
Med vennlig hilsen
Rune Elvemo
BITPRO
BITPRO AS
Sjølystveien 27
4610 Kristiansand, Norway
Phone: +47 47 91 71 00
Fax: +47 47 91 71 01
E-mail: [email protected]
Web: www.bitpro.no
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
