Thank you, works wonderfully
On Sun, Aug 10, 2014 at 9:40 PM, Radu Gheorghe <[email protected]> wrote: > Hi Cristian, > > With liblognorm1 this should be possible with the "rest" field type. > Something like %all:rest% > > I didn't actually use that, all credits would go to Pavel's awesome docs: > http://rsyslog.github.io/liblognorm/doc/_build/html/configuration.html#rest > > This would be the homepage: > http://rsyslog.github.io/liblognorm/doc/_build/html/index.html > > Hope it helps, > Radu > > -- > Performance Monitoring * Log Analytics * Search Analytics > Solr & Elasticsearch Support * http://sematext.com/ > > > On Tue, Aug 5, 2014 at 12:52 AM, Cristian Falcas <[email protected]> > wrote: > > > rsyslog-8.2.2 > > > > And I'm using liblognorm1-utils > > > > > > On Tue, Aug 5, 2014 at 12:40 AM, David Lang <[email protected]> wrote: > > > > > what version of rsyslog are you using? I know that there have been > > patches > > > for dealing with this "recently" (within the last few months) > > > > > > David Lang > > > > > > On Tue, 5 Aug 2014, Cristian Falcas wrote: > > > > > > Date: Tue, 5 Aug 2014 00:32:39 +0300 > > >> From: Cristian Falcas <[email protected]> > > >> Reply-To: rsyslog-users <[email protected]> > > >> To: rsyslog-users <[email protected]> > > >> Subject: [rsyslog] lognorm rules and catch all until end of message > > >> > > >> > > >> Hello, > > >> > > >> I'm trying to extract from audit logs the audit _tag_, by I need fot > > this > > >> something to catch everything from some point in the message until the > > >> end. > > >> > > >> Sample messages from audit: > > >> > > >> node=machine.company type=SYSCALL msg=audit(1407187547.954:6830671): > > >> arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c > > a1=92c0c0 > > >> a2=0 a3=20 items=2 ppid=13686 pid=13712 auid=1361081601 uid=501 > gid=501 > > >> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) > > >> ses=140430 comm="rm" exe="/bin/rm" > > subj=unconfined_u:system_r:initrc_t:s0 > > >> key="delete" > > >> node=machine.company type=CWD msg=audit(1407187547.954:6830671): > > >> cwd="/opt/oswatcher" > > >> node=machine.company type=PATH msg=audit(1407187547.954:6830671): > item=0 > > >> name="tmp/" inode=655755 dev=fd:00 mode=040755 ouid=501 ogid=501 > > >> rdev=00:00 > > >> obj=unconfined_u:object_r:usr_t:s0 nametype=PARENT > > >> node=machine.company type=EOE msg=audit(1407187547.954:6830671): > > >> > > >> What rule I'm trying to use: > > >> > > >> prefix= > > >> rule=: node=%hostname:word% type=%type:word% > > >> msg=audit(%unix_time:number%.%milisec:number%:%audittag: > > >> number%):%all:char-to:_some_end_of_message_% > > >> > > >> Is this possible? > > >> > > >> Best regards, > > >> Cristian Falcas > > >> _______________________________________________ > > >> rsyslog mailing list > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > >> http://www.rsyslog.com/professional-services/ > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > >> DON'T LIKE THAT. > > >> > > >> _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
