I forgot to mention the version I am using, I am using the adiscon ppa rsyslog 8.4.2-0adiscon1precise1
On Sat, Oct 25, 2014 at 9:27 AM, Todd Mortensen <[email protected]> wrote: > I am at it again trying to parse out iptable log files with mmnormalize to > send all the fields to elasticsearch. > > The issue I am having is accessing the parsed values. > > I can print out everything at once via %!all-json% but I can not seem to > access the parsed variables like DST or SRC, I am trying to use %!DST% in > my template per the documentation but I get no output to these. > > I have also tried to run rsyslog in debug mode to see how mmnormalize is > parsing but that does not seem to be in the debug output. > > Here is the sample log output > > { "IN": "lo", "OUT": "", "MAC": > "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "10.0.0.10", "DST": > "10.0.0.10", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID": > "14558", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "47921", "DPT": > "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP": > "0", "": "[*PRESENT*]", "kerntime": "[41349802.368044]" } src is dst is $! > > My rsyslog.conf > > module(load="impstats" interval="3600" severity="7") > module(load="imuxsock" SysSock.Annotate="off") > module(load="imklog") > module(load="imfile" pollingInterval="10") > module(load="mmnormalize") > $ModLoad omelasticsearch.so > > *.* {action(type="mmnormalize" UseRawMsg="on" > ruleBase="/etc/rsyslog.d/normalize.rb")} > > $ModLoad omelasticsearch.so > > > template(name="testFormat" type="string" string="%$!all-json% src is > %$!SRC% dst is %$!DST% $! \n") > > if $parsesuccess == "OK" then{ > action(type="omfile" file="/var/log/parsed.log" template="testFormat") > } > > my normalize.rb > rule=:%kerntime:word% Denied: %iptables:iptables% > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

