log the message with the format RSYSLOG_DebugFormat and it will show you the contents of the variables.
On Sat, 25 Oct 2014, Todd Mortensen wrote:

Date: Sat, 25 Oct 2014 09:27:07 -0700
From: Todd Mortensen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] mmnormalize and iptables, help using the parsed values

I am at it again trying to parse out iptable log files with mmnormalize to
send all the fields to elasticsearch.

The issue I am having is accessing the parsed values.

I can print out everything at once via %!all-json% but I can not seem to
access the parsed variables like DST or SRC,  I am trying to use %!DST% in
my template per the documentation but I get no output to these.

I have also tried to run rsyslog in debug mode to see how mmnormalize is
parsing but that does not seem to be in the debug output.

Here is the sample log output

{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "10.0.0.10", "DST":
"10.0.0.10", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
"14558", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "47921", "DPT":
"44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41349802.368044]" } src is  dst is  $!

My rsyslog.conf

module(load="impstats" interval="3600" severity="7")
module(load="imuxsock" SysSock.Annotate="off")
module(load="imklog")
module(load="imfile" pollingInterval="10")
module(load="mmnormalize")
$ModLoad omelasticsearch.so

*.* {action(type="mmnormalize" UseRawMsg="on"
ruleBase="/etc/rsyslog.d/normalize.rb")}

$ModLoad omelasticsearch.so


template(name="testFormat" type="string" string="%$!all-json% src is
%$!SRC% dst is %$!DST% $! \n")

if $parsesuccess == "OK" then{
action(type="omfile" file="/var/log/parsed.log" template="testFormat")
}

my normalize.rb
rule=:%kerntime:word% Denied: %iptables:iptables%
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to