You should always run tests to local files with copies of your data to be sure
that you are sending what you expect.
but if the log message is in your output before you do the normalization, then
it will still be there after the normalization with no match.
Remember that you can set variables in the $! space directly, so if you need
something that isn't there, add it.
David Lang
On Tue, 12 Aug 2014, Cristian Falcas wrote:
Thank you, I'm using it to send extra data to elasticsearch.
For this I use a json template with subtree="$!". This way I have my
"static" data (timestamp, message, facility, etc.) and also the data
generated by the parser.
On Tue, Aug 12, 2014 at 1:57 AM, David Lang <[email protected]> wrote:
On Tue, 12 Aug 2014, Cristian Falcas wrote:
I removed the generic rule.
In case of no rule matching, nothing bad is happening, correct? Just that
the @cee info is not populated. I just want to be sure I will not lose log
lines.
the @cee info isn't populated, and there is a variable that you can test
that no match happened.
it will not throw away the log line (although if you only do things with
teh @cee variables, you can throw it away due to your config)
David Lang
Best regards,
On Tue, Aug 12, 2014 at 1:36 AM, David Lang <[email protected]> wrote:
On Mon, 11 Aug 2014, Cristian Falcas wrote:
Hello,
How can I make the normalization rule to stop on first match?
I' trying to normalize the audit logs and I have at the end a rule that
catches all.
Example of rule.rb:
prefix= node=%hostname:word% type=%audit_type:word%
msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%):
rule=SYSCALL: arch=%arch:word% syscall=%syscall:number%
success=%success:word% exit=%exit:word% %rest_msg:rest%
rule=NO_NORMALIZATION: %rest_msg:rest%
I would like that, for example, the lines that match the rule=SYSCALL to
return immediately. Currently all messages return with
event.tags="NO_NORMALIZATION".
Normalization is not an ordered list, the rules you specify get reordered
into a parse tree, and the best match wins.
now, why your no_normalization is considered a better match than others
is
something I'm not sure about. I would have hoped that if multiple rules
matched, the longest match would win, but it's not an unreasonable
situation to have it be either shortest match wins or undefined in the
case
of multiple matches.
In your case, eliminate the no_normalization rule and instead test for
success of the normalize action in your rsyslog ruleset and set the tag
and
variables there.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
