Can you create a debug log?
Sent from phone, thus brief.
Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>:
> Switching to path=$!norm does move the values to what one would think is
> the proper place, yet I still can not use any permutation in a template.
>
> Here is the full debug output showing the !norm is correct now.
>
> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC":
> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", "ID":
> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT":
> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz":
> "testvalueyyy" }
>
> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote:
>
> > silly thought, try $!src in case there is a capitalization oddity going
> on
> > here.
> >
> > the path should hvae been $!norm not !norm, but I don't think that's your
> > problem.
> >
> > The fact that setting testzzz put the variable where it does in the debug
> > output also says that it should just be $!SRC
> >
> > David Lang
> >
> > On Sat, 25 Oct 2014, Todd Mortensen wrote:
> >
> > Date: Sat, 25 Oct 2014 20:08:07 -0700
> >> From: Todd Mortensen <[email protected]>
> >> Reply-To: rsyslog-users <[email protected]>
> >> To: rsyslog-users <[email protected]>
> >> Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed
> >> values
> >>
> >>
> >> I have tested and can set and print a test variable. I tried %$!!SRC%
> no
> >> luck.
> >>
> >> I added a path to the mmnormalize call, it added an empty norm {} to $!
> >> but
> >> the mmnormalized items are not in it.
> >>
> >> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
> >> ruleBase="/etc/rsyslog.d/normalize.rb")}
> >> template(name="testFormat" type="string" string="src is %$!norm!SRC% and
> >> test is %$!testzzz% \n")
> >> if $parsesuccess == "OK" then{
> >> action(type="omfile" file="/var/log/parsed.log" template="testFormat")
> >> action(type="omfile" file="/var/log/parsed.debug.log"
> >> template="RSYSLOG_DebugFormat")
> >> }
> >>
> >>
> >> parsed.log output
> >> src is and test is testvalueyyy
> >>
> >> parsed.debug.log outout
> >>
> >> Debug line with all properties:
> >> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
> >> PRI: 4,
> >> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
> >> '-', MSGID: '-',
> >> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
> >> msg: '[41418450.088091] Denied: IN=lo OUT=
> >> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1
> >> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> DPT=45678
> >> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >> escaped msg: '[41418450.088091] Denied: IN=lo OUT=
> >> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1
> >> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> DPT=45678
> >> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
> >> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1
> >> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> DPT=45678
> >> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >> $!:{ "IN": "lo", "OUT": "", "MAC":
> >> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
> >> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
> >> "ID":
> >> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
> >> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
> >> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
> >> "testvalueyyy", "norm": { } }
> >> $.:
> >> $/:
> >>
> >> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
> >>
> >> define a variable roursel and see what it looks like relative to the
> >>> others
> >>>
> >>> set $!test = 'value';
> >>>
> >>> the % are only used in format statements, not in amy tests
> >>>
> >>> I would expect that $!SRC would be right in a test and %$!SRC% in a
> >>> format
> >>> statement.
> >>>
> >>> try $!!SRC on the thought that there is a top level name being lost
> here.
> >>> Or try specifying a path in the action to explicitly put them under
> >>> something (say $!normalized which should result in $!normalized!SRC as
> >>> the
> >>> variable name)
> >>>
> >>> David Lang
> >>>
> >>>
> >>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
> >>>
> >>> Here is the output I get from the debug format, I have not been able
> to
> >>>
> >>>> find a way to represent the $! items individually though.
> >>>>
> >>>> I have tried, %$!SRC%, %$!:SRC%, $!SRC, %$!{SRC}
> >>>>
> >>>>
> >>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
> 'localhost',
> >>>> PRI: 4,
> >>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> >>>> '-', MSGID: '-',
> >>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
> >>>> msg: '[41404150.744046] Denied: IN=lo OUT=
> >>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>> DST=127.0.0.1
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>> DPT=44444
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT=
> >>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>> DST=127.0.0.1
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>> DPT=44444
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
> >>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>> DST=127.0.0.1
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>> DPT=44444
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>> $!:{ "IN": "lo", "OUT": "", "MAC":
> >>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
> "DST":
> >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
> >>>> "ID":
> >>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT":
> >>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
> "URGP":
> >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
> >>>> $.:
> >>>> $/:
> >>>>
> >>>>
> >>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:
> >>>>
> >>>> RSYSLOG_DebugFormat
> >>>>
> >>>>>
> >>>>> _______________________________________________
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>> _______________________________________________
> >>>>
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>>
> >>> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >> _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.