Yeah that is waht i was looking for. On the phone though i do not see
access to SRC...

Sent from phone, thus brief.
Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>:

> Sure,  the lines I have been posting so far are from the
> RSYSLOG_DebugFormat output.   Are you looking for the output from these
> options ?
>
> $DebugFile /var/log/rsyslog.debug.log
> $DebugLevel 2
>
> I have attached a full run from start to stop with a telnet test to
> generate the iptables line.   I telnet to port 45678 so that is what I
> search for.
>
> On 10/26/2014 08:32 AM, Rainer Gerhards wrote:
>
>> Can you create a debug log?
>>
>> Sent from phone, thus brief.
>> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>:
>>
>>  Switching to path=$!norm does move the values to what one would think is
>>> the proper place,   yet I still can not use any permutation in a
>>> template.
>>>
>>> Here is the full debug output showing the !norm is correct now.
>>>
>>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC":
>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>>> "ID":
>>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT":
>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", "URGP":
>>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz":
>>> "testvalueyyy" }
>>>
>>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote:
>>>
>>>  silly thought, try $!src in case there is a capitalization oddity going
>>>>
>>> on
>>>
>>>> here.
>>>>
>>>> the path should hvae been $!norm not !norm, but I don't think that's
>>>> your
>>>> problem.
>>>>
>>>> The fact that setting testzzz put the variable where it does in the
>>>> debug
>>>> output also says that it should just be $!SRC
>>>>
>>>> David Lang
>>>>
>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>>>>
>>>>   Date: Sat, 25 Oct 2014 20:08:07 -0700
>>>>
>>>>> From: Todd Mortensen <[email protected]>
>>>>> Reply-To: rsyslog-users <[email protected]>
>>>>> To: rsyslog-users <[email protected]>
>>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the parsed
>>>>> values
>>>>>
>>>>>
>>>>> I have tested and can set and print a test variable.   I tried %$!!SRC%
>>>>>
>>>> no
>>>
>>>> luck.
>>>>>
>>>>> I added a path to the mmnormalize call, it added an empty norm {} to $!
>>>>> but
>>>>> the mmnormalized items are not in it.
>>>>>
>>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
>>>>> ruleBase="/etc/rsyslog.d/normalize.rb")}
>>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC%
>>>>> and
>>>>> test is %$!testzzz% \n")
>>>>> if $parsesuccess == "OK" then{
>>>>> action(type="omfile" file="/var/log/parsed.log" template="testFormat")
>>>>> action(type="omfile" file="/var/log/parsed.debug.log"
>>>>> template="RSYSLOG_DebugFormat")
>>>>> }
>>>>>
>>>>>
>>>>> parsed.log output
>>>>> src is  and test is testvalueyyy
>>>>>
>>>>> parsed.debug.log outout
>>>>>
>>>>> Debug line with all properties:
>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: 'localhost',
>>>>> PRI: 4,
>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', PROCID:
>>>>> '-', MSGID: '-',
>>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
>>>>> msg: '[41418450.088091] Denied: IN=lo OUT=
>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>
>>>> DST=127.0.0.1
>>>
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>>>>>
>>>> DPT=45678
>>>
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT=
>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>
>>>> DST=127.0.0.1
>>>
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>>>>>
>>>> DPT=45678
>>>
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>
>>>> DST=127.0.0.1
>>>
>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>>>>>
>>>> DPT=45678
>>>
>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
>>>>> "DST":
>>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>>>>> "ID":
>>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
>>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
>>>>> "URGP":
>>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
>>>>> "testvalueyyy", "norm": { } }
>>>>> $.:
>>>>> $/:
>>>>>
>>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
>>>>>
>>>>>   define a variable roursel and see what it looks like relative to the
>>>>>
>>>>>> others
>>>>>>
>>>>>> set $!test = 'value';
>>>>>>
>>>>>> the % are only used in format statements, not in amy tests
>>>>>>
>>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a
>>>>>> format
>>>>>> statement.
>>>>>>
>>>>>> try $!!SRC on the thought that there is a top level name being lost
>>>>>>
>>>>> here.
>>>
>>>> Or try specifying a path in the action to explicitly put them under
>>>>>> something (say $!normalized which should result in $!normalized!SRC as
>>>>>> the
>>>>>> variable name)
>>>>>>
>>>>>> David Lang
>>>>>>
>>>>>>
>>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>>>>>>
>>>>>>   Here is the output I get from the debug format,  I have not been
>>>>>> able
>>>>>>
>>>>> to
>>>
>>>> find a way to represent the $! items individually though.
>>>>>>>
>>>>>>> I have tried,  %$!SRC%, %$!:SRC%, $!SRC,  %$!{SRC}
>>>>>>>
>>>>>>>
>>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
>>>>>>>
>>>>>> 'localhost',
>>>
>>>> PRI: 4,
>>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
>>>>>>>
>>>>>> PROCID:
>>>
>>>> '-', MSGID: '-',
>>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
>>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT=
>>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>>> DST=127.0.0.1
>>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>>>>> DPT=44444
>>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT=
>>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>>> DST=127.0.0.1
>>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>>>>> DPT=44444
>>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
>>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>>>>>>> DST=127.0.0.1
>>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>>>>>>> DPT=44444
>>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
>>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
>>>>>>>
>>>>>> "DST":
>>>
>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>>>>>>> "ID":
>>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", "DPT":
>>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
>>>>>>>
>>>>>> "URGP":
>>>
>>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
>>>>>>> $.:
>>>>>>> $/:
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:
>>>>>>>
>>>>>>>   RSYSLOG_DebugFormat
>>>>>>>
>>>>>>>    _______________________________________________
>>>>>>>>
>>>>>>> rsyslog mailing list
>>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>>
>>>>>> myriad
>>>
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>>> DON'T LIKE THAT.
>>>>>>>
>>>>>>>   _______________________________________________
>>>>>>>
>>>>>>>  rsyslog mailing list
>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>
>>>>> myriad
>>>
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>>> DON'T LIKE THAT.
>>>>>>
>>>>>>   _______________________________________________
>>>>>>
>>>>> rsyslog mailing list
>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>>>
>>>>>   _______________________________________________
>>>>>
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>>  _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>>  _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to