I forgot to mention the version I am using, I am using the adiscon ppa
rsyslog 8.4.2-0adiscon1precise1

On Sat, Oct 25, 2014 at 9:27 AM, Todd Mortensen <[email protected]>
wrote:

> I am at it again trying to parse out iptable log files with mmnormalize to
> send all the fields to elasticsearch.
>
> The issue I am having is accessing the parsed values.
>
> I can print out everything at once via %!all-json% but I can not seem to
> access the parsed variables like DST or SRC,  I am trying to use %!DST% in
> my template per the documentation but I get no output to these.
>
> I have also tried to run rsyslog in debug mode to see how mmnormalize is
> parsing but that does not seem to be in the debug output.
>
> Here is the sample log output
>
> { "IN": "lo", "OUT": "", "MAC":
> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "10.0.0.10", "DST":
> "10.0.0.10", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
> "14558", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "47921", "DPT":
> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
> "0", "": "[*PRESENT*]", "kerntime": "[41349802.368044]" } src is  dst is  $!
>
> My rsyslog.conf
>
> module(load="impstats" interval="3600" severity="7")
> module(load="imuxsock" SysSock.Annotate="off")
> module(load="imklog")
> module(load="imfile" pollingInterval="10")
> module(load="mmnormalize")
> $ModLoad omelasticsearch.so
>
> *.* {action(type="mmnormalize" UseRawMsg="on"
> ruleBase="/etc/rsyslog.d/normalize.rb")}
>
> $ModLoad omelasticsearch.so
>
>
> template(name="testFormat" type="string" string="%$!all-json% src is
> %$!SRC% dst is %$!DST% $! \n")
>
> if $parsesuccess == "OK" then{
> action(type="omfile" file="/var/log/parsed.log" template="testFormat")
> }
>
> my normalize.rb
> rule=:%kerntime:word% Denied: %iptables:iptables%
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to