silly thought, try $!src in case there is a capitalization oddity going on here.
the path should hvae been $!norm not !norm, but I don't think that's your
problem.
The fact that setting testzzz put the variable where it does in the debug output
also says that it should just be $!SRC
David Lang
On Sat, 25 Oct 2014, Todd Mortensen wrote:
Date: Sat, 25 Oct 2014 20:08:07 -0700
From: Todd Mortensen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed values
I have tested and can set and print a test variable. I tried %$!!SRC% no
luck.
I added a path to the mmnormalize call, it added an empty norm {} to $! but
the mmnormalized items are not in it.
*.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
ruleBase="/etc/rsyslog.d/normalize.rb")}
template(name="testFormat" type="string" string="src is %$!norm!SRC% and
test is %$!testzzz% \n")
if $parsesuccess == "OK" then{
action(type="omfile" file="/var/log/parsed.log" template="testFormat")
action(type="omfile" file="/var/log/parsed.debug.log"
template="RSYSLOG_DebugFormat")
}
parsed.log output
src is and test is testvalueyyy
parsed.debug.log outout
Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
PRI: 4,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
msg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
escaped msg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
$!:{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
"127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
"18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
"45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
"testvalueyyy", "norm": { } }
$.:
$/:
On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
define a variable roursel and see what it looks like relative to the others
set $!test = 'value';
the % are only used in format statements, not in amy tests
I would expect that $!SRC would be right in a test and %$!SRC% in a format
statement.
try $!!SRC on the thought that there is a top level name being lost here.
Or try specifying a path in the action to explicitly put them under
something (say $!normalized which should result in $!normalized!SRC as the
variable name)
David Lang
On Sat, 25 Oct 2014, Todd Mortensen wrote:
Here is the output I get from the debug format, I have not been able to
find a way to represent the $! items individually though.
I have tried, %$!SRC%, %$!:SRC%, $!SRC, %$!{SRC}
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
PRI: 4,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
msg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
escaped msg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
$!:{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
"127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
"ID":
"42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT":
"44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
$.:
$/:
On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:
RSYSLOG_DebugFormat
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.