On Tue, 12 Aug 2014, Cristian Falcas wrote:
I removed the generic rule.
In case of no rule matching, nothing bad is happening, correct? Just that
the @cee info is not populated. I just want to be sure I will not lose log
lines.
the @cee info isn't populated, and there is a variable that you can test that no
match happened.
it will not throw away the log line (although if you only do things with teh
@cee variables, you can throw it away due to your config)
David Lang
Best regards,
On Tue, Aug 12, 2014 at 1:36 AM, David Lang <[email protected]> wrote:
On Mon, 11 Aug 2014, Cristian Falcas wrote:
Hello,
How can I make the normalization rule to stop on first match?
I' trying to normalize the audit logs and I have at the end a rule that
catches all.
Example of rule.rb:
prefix= node=%hostname:word% type=%audit_type:word%
msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%):
rule=SYSCALL: arch=%arch:word% syscall=%syscall:number%
success=%success:word% exit=%exit:word% %rest_msg:rest%
rule=NO_NORMALIZATION: %rest_msg:rest%
I would like that, for example, the lines that match the rule=SYSCALL to
return immediately. Currently all messages return with
event.tags="NO_NORMALIZATION".
Normalization is not an ordered list, the rules you specify get reordered
into a parse tree, and the best match wins.
now, why your no_normalization is considered a better match than others is
something I'm not sure about. I would have hoped that if multiple rules
matched, the longest match would win, but it's not an unreasonable
situation to have it be either shortest match wins or undefined in the case
of multiple matches.
In your case, eliminate the no_normalization rule and instead test for
success of the normalize action in your rsyslog ruleset and set the tag and
variables there.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
