silly thought, try $!src in case there is a capitalization oddity going on here.

the path should hvae been $!norm not !norm, but I don't think that's your problem.

The fact that setting testzzz put the variable where it does in the debug output also says that it should just be $!SRC

David Lang

On Sat, 25 Oct 2014, Todd Mortensen wrote:

Date: Sat, 25 Oct 2014 20:08:07 -0700
From: Todd Mortensen <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed values

I have tested and can set and print a test variable.   I tried %$!!SRC% no
luck.

I added a path to the mmnormalize call, it added an empty norm {} to $! but
the mmnormalized items are not in it.

*.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
ruleBase="/etc/rsyslog.d/normalize.rb")}
template(name="testFormat" type="string" string="src is %$!norm!SRC% and
test is %$!testzzz% \n")
if $parsesuccess == "OK" then{
action(type="omfile" file="/var/log/parsed.log" template="testFormat")
action(type="omfile" file="/var/log/parsed.debug.log"
template="RSYSLOG_DebugFormat")
}


parsed.log output
src is  and test is testvalueyyy

parsed.debug.log outout

Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
PRI: 4,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
msg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
escaped msg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
WINDOW=32792 RES=0x00 SYN URGP=0 '
$!:{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
"127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
"18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
"45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
"testvalueyyy", "norm": { } }
$.:
$/:

On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:

define a variable roursel and see what it looks like relative to the others

set $!test = 'value';

the % are only used in format statements, not in amy tests

I would expect that $!SRC would be right in a test and %$!SRC% in a format
statement.

try $!!SRC on the thought that there is a top level name being lost here.
Or try specifying a path in the action to explicitly put them under
something (say $!normalized which should result in $!normalized!SRC as the
variable name)

David Lang


On Sat, 25 Oct 2014, Todd Mortensen wrote:

 Here is the output I get from the debug format,  I have not been able to
find a way to represent the $! items individually though.

I have tried,  %$!SRC%, %$!:SRC%, $!SRC,  %$!{SRC}


FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
PRI: 4,
syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
'-', MSGID: '-',
TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
msg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
escaped msg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 DPT=44444
WINDOW=32792 RES=0x00 SYN URGP=0 '
$!:{ "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
"127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
"ID":
"42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT":
"44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
$.:
$/:


On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:

 RSYSLOG_DebugFormat

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

 _______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to