On Mon, 11 Aug 2014, Cristian Falcas wrote:
Hello,
How can I make the normalization rule to stop on first match?
I' trying to normalize the audit logs and I have at the end a rule that
catches all.
Example of rule.rb:
prefix= node=%hostname:word% type=%audit_type:word%
msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%):
rule=SYSCALL: arch=%arch:word% syscall=%syscall:number%
success=%success:word% exit=%exit:word% %rest_msg:rest%
rule=NO_NORMALIZATION: %rest_msg:rest%
I would like that, for example, the lines that match the rule=SYSCALL to
return immediately. Currently all messages return with
event.tags="NO_NORMALIZATION".
Normalization is not an ordered list, the rules you specify get reordered into a
parse tree, and the best match wins.
now, why your no_normalization is considered a better match than others is
something I'm not sure about. I would have hoped that if multiple rules matched,
the longest match would win, but it's not an unreasonable situation to have it
be either shortest match wins or undefined in the case of multiple matches.
In your case, eliminate the no_normalization rule and instead test for success
of the normalize action in your rsyslog ruleset and set the tag and variables
there.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
