Switching to path=$!norm does move the values to what one would think is
the proper place,   yet I still can not use any permutation in a template.

Here is the full debug output showing the !norm is correct now.

$!:{ "norm": { "IN": "lo", "OUT": "", "MAC":
"00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
"127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
"62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT":
"45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
"0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz":
"testvalueyyy" }

On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote:

> silly thought, try $!src in case there is a capitalization oddity going on
> here.
>
> the path should hvae been $!norm not !norm, but I don't think that's your
> problem.
>
> The fact that setting testzzz put the variable where it does in the debug
> output also says that it should just be $!SRC
>
> David Lang
>
> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>
>  Date: Sat, 25 Oct 2014 20:08:07 -0700
>> From: Todd Mortensen <[email protected]>
>> Reply-To: rsyslog-users <[email protected]>
>> To: rsyslog-users <[email protected]>
>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed
>> values
>>
>>
>> I have tested and can set and print a test variable.   I tried %$!!SRC% no
>> luck.
>>
>> I added a path to the mmnormalize call, it added an empty norm {} to $!
>> but
>> the mmnormalized items are not in it.
>>
>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
>> ruleBase="/etc/rsyslog.d/normalize.rb")}
>> template(name="testFormat" type="string" string="src is %$!norm!SRC% and
>> test is %$!testzzz% \n")
>> if $parsesuccess == "OK" then{
>> action(type="omfile" file="/var/log/parsed.log" template="testFormat")
>> action(type="omfile" file="/var/log/parsed.debug.log"
>> template="RSYSLOG_DebugFormat")
>> }
>>
>>
>> parsed.log output
>> src is  and test is testvalueyyy
>>
>> parsed.debug.log outout
>>
>> Debug line with all properties:
>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
>> PRI: 4,
>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>> '-', MSGID: '-',
>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
>> msg: '[41418450.088091] Denied: IN=lo OUT=
>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> escaped msg: '[41418450.088091] Denied: IN=lo OUT=
>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 DPT=45678
>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> $!:{ "IN": "lo", "OUT": "", "MAC":
>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>> "ID":
>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
>> "testvalueyyy", "norm": { } }
>> $.:
>> $/:
>>
>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
>>
>>  define a variable roursel and see what it looks like relative to the
>>> others
>>>
>>> set $!test = 'value';
>>>
>>> the % are only used in format statements, not in amy tests
>>>
>>> I would expect that $!SRC would be right in a test and %$!SRC% in a
>>> format
>>> statement.
>>>
>>> try $!!SRC on the thought that there is a top level name being lost here.
>>> Or try specifying a path in the action to explicitly put them under
>>> something (say $!normalized which should result in $!normalized!SRC as
>>> the
>>> variable name)
>>>
>>> David Lang
>>>
>>>
>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>>>
>>>  Here is the output I get from the debug format,  I have not been able to
>>>
>>>> find a way to represent the $! items individually though.
>>>>
>>>> I have tried,  %$!SRC%, %$!:SRC%, $!SRC,  %$!{SRC}
>>>>
>>>>
>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
>>>> PRI: 4,
>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>>>> '-', MSGID: '-',
>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
>>>> msg: '[41404150.744046] Denied: IN=lo OUT=
>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>> DST=127.0.0.1
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>> DPT=44444
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT=
>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>> DST=127.0.0.1
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>> DPT=44444
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>> DST=127.0.0.1
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>> DPT=44444
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>>>> "ID":
>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT":
>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
>>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
>>>> $.:
>>>> $/:
>>>>
>>>>
>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:
>>>>
>>>>  RSYSLOG_DebugFormat
>>>>
>>>>>
>>>>>  _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>>  _______________________________________________
>>>>
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>>  _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>>  _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to