Thank you, I'm using it to send extra data to elasticsearch. For this I use a json template with subtree="$!". This way I have my "static" data (timestamp, message, facility, etc.) and also the data generated by the parser.
On Tue, Aug 12, 2014 at 1:57 AM, David Lang <[email protected]> wrote: > On Tue, 12 Aug 2014, Cristian Falcas wrote: > > I removed the generic rule. >> >> In case of no rule matching, nothing bad is happening, correct? Just that >> the @cee info is not populated. I just want to be sure I will not lose log >> lines. >> > > the @cee info isn't populated, and there is a variable that you can test > that no match happened. > > it will not throw away the log line (although if you only do things with > teh @cee variables, you can throw it away due to your config) > > David Lang > > > Best regards, >> >> >> >> >> On Tue, Aug 12, 2014 at 1:36 AM, David Lang <[email protected]> wrote: >> >> On Mon, 11 Aug 2014, Cristian Falcas wrote: >>> >>> Hello, >>> >>>> >>>> How can I make the normalization rule to stop on first match? >>>> >>>> I' trying to normalize the audit logs and I have at the end a rule that >>>> catches all. >>>> >>>> Example of rule.rb: >>>> >>>> prefix= node=%hostname:word% type=%audit_type:word% >>>> msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%): >>>> rule=SYSCALL: arch=%arch:word% syscall=%syscall:number% >>>> success=%success:word% exit=%exit:word% %rest_msg:rest% >>>> rule=NO_NORMALIZATION: %rest_msg:rest% >>>> >>>> I would like that, for example, the lines that match the rule=SYSCALL to >>>> return immediately. Currently all messages return with >>>> event.tags="NO_NORMALIZATION". >>>> >>>> >>> Normalization is not an ordered list, the rules you specify get reordered >>> into a parse tree, and the best match wins. >>> >>> now, why your no_normalization is considered a better match than others >>> is >>> something I'm not sure about. I would have hoped that if multiple rules >>> matched, the longest match would win, but it's not an unreasonable >>> situation to have it be either shortest match wins or undefined in the >>> case >>> of multiple matches. >>> >>> In your case, eliminate the no_normalization rule and instead test for >>> success of the normalize action in your rsyslog ruleset and set the tag >>> and >>> variables there. >>> >>> David Lang >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
