Yeah that is waht i was looking for. On the phone though i do not see access to SRC...
Sent from phone, thus brief. Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>: > Sure, the lines I have been posting so far are from the > RSYSLOG_DebugFormat output. Are you looking for the output from these > options ? > > $DebugFile /var/log/rsyslog.debug.log > $DebugLevel 2 > > I have attached a full run from start to stop with a telnet test to > generate the iptables line. I telnet to port 45678 so that is what I > search for. > > On 10/26/2014 08:32 AM, Rainer Gerhards wrote: > >> Can you create a debug log? >> >> Sent from phone, thus brief. >> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>: >> >> Switching to path=$!norm does move the values to what one would think is >>> the proper place, yet I still can not use any permutation in a >>> template. >>> >>> Here is the full debug output showing the !norm is correct now. >>> >>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC": >>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST": >>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", >>> "ID": >>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT": >>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP": >>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz": >>> "testvalueyyy" } >>> >>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote: >>> >>> silly thought, try $!src in case there is a capitalization oddity going >>>> >>> on >>> >>>> here. >>>> >>>> the path should hvae been $!norm not !norm, but I don't think that's >>>> your >>>> problem. >>>> >>>> The fact that setting testzzz put the variable where it does in the >>>> debug >>>> output also says that it should just be $!SRC >>>> >>>> David Lang >>>> >>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: >>>> >>>> Date: Sat, 25 Oct 2014 20:08:07 -0700 >>>> >>>>> From: Todd Mortensen <[email protected]> >>>>> Reply-To: rsyslog-users <[email protected]> >>>>> To: rsyslog-users <[email protected]> >>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed >>>>> values >>>>> >>>>> >>>>> I have tested and can set and print a test variable. I tried %$!!SRC% >>>>> >>>> no >>> >>>> luck. >>>>> >>>>> I added a path to the mmnormalize call, it added an empty norm {} to $! >>>>> but >>>>> the mmnormalized items are not in it. >>>>> >>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm" >>>>> ruleBase="/etc/rsyslog.d/normalize.rb")} >>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC% >>>>> and >>>>> test is %$!testzzz% \n") >>>>> if $parsesuccess == "OK" then{ >>>>> action(type="omfile" file="/var/log/parsed.log" template="testFormat") >>>>> action(type="omfile" file="/var/log/parsed.debug.log" >>>>> template="RSYSLOG_DebugFormat") >>>>> } >>>>> >>>>> >>>>> parsed.log output >>>>> src is and test is testvalueyyy >>>>> >>>>> parsed.debug.log outout >>>>> >>>>> Debug line with all properties: >>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost', >>>>> PRI: 4, >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID: >>>>> '-', MSGID: '-', >>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-', >>>>> msg: '[41418450.088091] Denied: IN=lo OUT= >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>> >>>> DST=127.0.0.1 >>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >>>>> >>>> DPT=45678 >>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT= >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>> >>>> DST=127.0.0.1 >>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >>>>> >>>> DPT=45678 >>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT= >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>> >>>> DST=127.0.0.1 >>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >>>>> >>>> DPT=45678 >>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>> $!:{ "IN": "lo", "OUT": "", "MAC": >>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", >>>>> "DST": >>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", >>>>> "ID": >>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT": >>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", >>>>> "URGP": >>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz": >>>>> "testvalueyyy", "norm": { } } >>>>> $.: >>>>> $/: >>>>> >>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote: >>>>> >>>>> define a variable roursel and see what it looks like relative to the >>>>> >>>>>> others >>>>>> >>>>>> set $!test = 'value'; >>>>>> >>>>>> the % are only used in format statements, not in amy tests >>>>>> >>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a >>>>>> format >>>>>> statement. >>>>>> >>>>>> try $!!SRC on the thought that there is a top level name being lost >>>>>> >>>>> here. >>> >>>> Or try specifying a path in the action to explicitly put them under >>>>>> something (say $!normalized which should result in $!normalized!SRC as >>>>>> the >>>>>> variable name) >>>>>> >>>>>> David Lang >>>>>> >>>>>> >>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: >>>>>> >>>>>> Here is the output I get from the debug format, I have not been >>>>>> able >>>>>> >>>>> to >>> >>>> find a way to represent the $! items individually though. >>>>>>> >>>>>>> I have tried, %$!SRC%, %$!:SRC%, $!SRC, %$!{SRC} >>>>>>> >>>>>>> >>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: >>>>>>> >>>>>> 'localhost', >>> >>>> PRI: 4, >>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', >>>>>>> >>>>>> PROCID: >>> >>>> '-', MSGID: '-', >>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-', >>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT= >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>>>> DST=127.0.0.1 >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >>>>>>> DPT=44444 >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT= >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>>>> DST=127.0.0.1 >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >>>>>>> DPT=44444 >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT= >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >>>>>>> DST=127.0.0.1 >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >>>>>>> DPT=44444 >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC": >>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", >>>>>>> >>>>>> "DST": >>> >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", >>>>>>> "ID": >>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT": >>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", >>>>>>> >>>>>> "URGP": >>> >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" } >>>>>>> $.: >>>>>>> $/: >>>>>>> >>>>>>> >>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote: >>>>>>> >>>>>>> RSYSLOG_DebugFormat >>>>>>> >>>>>>> _______________________________________________ >>>>>>>> >>>>>>> rsyslog mailing list >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>>> >>>>>> myriad >>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>>> DON'T LIKE THAT. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>>> rsyslog mailing list >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>> http://www.rsyslog.com/professional-services/ >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>> >>>>> myriad >>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>>> DON'T LIKE THAT. >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>> rsyslog mailing list >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>>> http://www.rsyslog.com/professional-services/ >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>> myriad >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>>> DON'T LIKE THAT. >>>>> >>>>> _______________________________________________ >>>>> >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

