I removed the generic rule. In case of no rule matching, nothing bad is happening, correct? Just that the @cee info is not populated. I just want to be sure I will not lose log lines.
Best regards, On Tue, Aug 12, 2014 at 1:36 AM, David Lang <[email protected]> wrote: > On Mon, 11 Aug 2014, Cristian Falcas wrote: > > Hello, >> >> How can I make the normalization rule to stop on first match? >> >> I' trying to normalize the audit logs and I have at the end a rule that >> catches all. >> >> Example of rule.rb: >> >> prefix= node=%hostname:word% type=%audit_type:word% >> msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%): >> rule=SYSCALL: arch=%arch:word% syscall=%syscall:number% >> success=%success:word% exit=%exit:word% %rest_msg:rest% >> rule=NO_NORMALIZATION: %rest_msg:rest% >> >> I would like that, for example, the lines that match the rule=SYSCALL to >> return immediately. Currently all messages return with >> event.tags="NO_NORMALIZATION". >> > > Normalization is not an ordered list, the rules you specify get reordered > into a parse tree, and the best match wins. > > now, why your no_normalization is considered a better match than others is > something I'm not sure about. I would have hoped that if multiple rules > matched, the longest match would win, but it's not an unreasonable > situation to have it be either shortest match wins or undefined in the case > of multiple matches. > > In your case, eliminate the no_normalization rule and instead test for > success of the normalize action in your rsyslog ruleset and set the tag and > variables there. > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
