log the message with the format RSYSLOG_DebugFormat and it will show you the
contents of the variables.
On Sat, 25 Oct 2014, Todd Mortensen wrote:
Date: Sat, 25 Oct 2014 09:27:07 -0700
From: Todd Mortensen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: [rsyslog] mmnormalize and iptables, help using the parsed values
I am at it again trying to parse out iptable log files with mmnormalize to
send all the fields to elasticsearch.
The issue I am having is accessing the parsed values.
I can print out everything at once via %!all-json% but I can not seem to
access the parsed variables like DST or SRC, I am trying to use %!DST% in
my template per the documentation but I get no output to these.
I have also tried to run rsyslog in debug mode to see how mmnormalize is
parsing but that does not seem to be in the debug output.
Here is the sample log output
{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "10.0.0.10", "DST":
"10.0.0.10", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
"14558", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "47921", "DPT":
"44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41349802.368044]" } src is dst is $!
My rsyslog.conf
module(load="impstats" interval="3600" severity="7")
module(load="imuxsock" SysSock.Annotate="off")
module(load="imklog")
module(load="imfile" pollingInterval="10")
module(load="mmnormalize")
$ModLoad omelasticsearch.so
*.* {action(type="mmnormalize" UseRawMsg="on"
ruleBase="/etc/rsyslog.d/normalize.rb")}
$ModLoad omelasticsearch.so
template(name="testFormat" type="string" string="%$!all-json% src is
%$!SRC% dst is %$!DST% $! \n")
if $parsesuccess == "OK" then{
action(type="omfile" file="/var/log/parsed.log" template="testFormat")
}
my normalize.rb
rule=:%kerntime:word% Denied: %iptables:iptables%
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.