In the debug output I do not see any of the mmnormalize parsed values, only
references to SRC are from my templates.

On Sun, Oct 26, 2014 at 9:06 AM, Rainer Gerhards <[email protected]>
wrote:

> Yeah that is waht i was looking for. On the phone though i do not see
> access to SRC...
>
> Sent from phone, thus brief.
> Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>:
>
> > Sure,  the lines I have been posting so far are from the
> > RSYSLOG_DebugFormat output.   Are you looking for the output from these
> > options ?
> >
> > $DebugFile /var/log/rsyslog.debug.log
> > $DebugLevel 2
> >
> > I have attached a full run from start to stop with a telnet test to
> > generate the iptables line.   I telnet to port 45678 so that is what I
> > search for.
> >
> > On 10/26/2014 08:32 AM, Rainer Gerhards wrote:
> >
> >> Can you create a debug log?
> >>
> >> Sent from phone, thus brief.
> >> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>:
> >>
> >>  Switching to path=$!norm does move the values to what one would think
> is
> >>> the proper place,   yet I still can not use any permutation in a
> >>> template.
> >>>
> >>> Here is the full debug output showing the !norm is correct now.
> >>>
> >>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC":
> >>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST":
> >>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
> >>> "ID":
> >>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT":
> >>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
> "URGP":
> >>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz":
> >>> "testvalueyyy" }
> >>>
> >>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote:
> >>>
> >>>  silly thought, try $!src in case there is a capitalization oddity
> going
> >>>>
> >>> on
> >>>
> >>>> here.
> >>>>
> >>>> the path should hvae been $!norm not !norm, but I don't think that's
> >>>> your
> >>>> problem.
> >>>>
> >>>> The fact that setting testzzz put the variable where it does in the
> >>>> debug
> >>>> output also says that it should just be $!SRC
> >>>>
> >>>> David Lang
> >>>>
> >>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
> >>>>
> >>>>   Date: Sat, 25 Oct 2014 20:08:07 -0700
> >>>>
> >>>>> From: Todd Mortensen <[email protected]>
> >>>>> Reply-To: rsyslog-users <[email protected]>
> >>>>> To: rsyslog-users <[email protected]>
> >>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the
> parsed
> >>>>> values
> >>>>>
> >>>>>
> >>>>> I have tested and can set and print a test variable.   I tried
> %$!!SRC%
> >>>>>
> >>>> no
> >>>
> >>>> luck.
> >>>>>
> >>>>> I added a path to the mmnormalize call, it added an empty norm {} to
> $!
> >>>>> but
> >>>>> the mmnormalized items are not in it.
> >>>>>
> >>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
> >>>>> ruleBase="/etc/rsyslog.d/normalize.rb")}
> >>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC%
> >>>>> and
> >>>>> test is %$!testzzz% \n")
> >>>>> if $parsesuccess == "OK" then{
> >>>>> action(type="omfile" file="/var/log/parsed.log"
> template="testFormat")
> >>>>> action(type="omfile" file="/var/log/parsed.debug.log"
> >>>>> template="RSYSLOG_DebugFormat")
> >>>>> }
> >>>>>
> >>>>>
> >>>>> parsed.log output
> >>>>> src is  and test is testvalueyyy
> >>>>>
> >>>>> parsed.debug.log outout
> >>>>>
> >>>>> Debug line with all properties:
> >>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
> 'localhost',
> >>>>> PRI: 4,
> >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> PROCID:
> >>>>> '-', MSGID: '-',
> >>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
> >>>>> msg: '[41418450.088091] Denied: IN=lo OUT=
> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>
> >>>> DST=127.0.0.1
> >>>
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> >>>>>
> >>>> DPT=45678
> >>>
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT=
> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>
> >>>> DST=127.0.0.1
> >>>
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> >>>>>
> >>>> DPT=45678
> >>>
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>
> >>>> DST=127.0.0.1
> >>>
> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
> >>>>>
> >>>> DPT=45678
> >>>
> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
> >>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
> >>>>> "DST":
> >>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
> >>>>> "ID":
> >>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
> >>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
> >>>>> "URGP":
> >>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
> >>>>> "testvalueyyy", "norm": { } }
> >>>>> $.:
> >>>>> $/:
> >>>>>
> >>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
> >>>>>
> >>>>>   define a variable roursel and see what it looks like relative to
> the
> >>>>>
> >>>>>> others
> >>>>>>
> >>>>>> set $!test = 'value';
> >>>>>>
> >>>>>> the % are only used in format statements, not in amy tests
> >>>>>>
> >>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a
> >>>>>> format
> >>>>>> statement.
> >>>>>>
> >>>>>> try $!!SRC on the thought that there is a top level name being lost
> >>>>>>
> >>>>> here.
> >>>
> >>>> Or try specifying a path in the action to explicitly put them under
> >>>>>> something (say $!normalized which should result in $!normalized!SRC
> as
> >>>>>> the
> >>>>>> variable name)
> >>>>>>
> >>>>>> David Lang
> >>>>>>
> >>>>>>
> >>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
> >>>>>>
> >>>>>>   Here is the output I get from the debug format,  I have not been
> >>>>>> able
> >>>>>>
> >>>>> to
> >>>
> >>>> find a way to represent the $! items individually though.
> >>>>>>>
> >>>>>>> I have tried,  %$!SRC%, %$!:SRC%, $!SRC,  %$!{SRC}
> >>>>>>>
> >>>>>>>
> >>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
> >>>>>>>
> >>>>>> 'localhost',
> >>>
> >>>> PRI: 4,
> >>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
> >>>>>>>
> >>>>>> PROCID:
> >>>
> >>>> '-', MSGID: '-',
> >>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
> >>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT=
> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>>> DST=127.0.0.1
> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>>>>> DPT=44444
> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT=
> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>>> DST=127.0.0.1
> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>>>>> DPT=44444
> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> >>>>>>> DST=127.0.0.1
> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
> >>>>>>> DPT=44444
> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
> >>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
> >>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
> >>>>>>>
> >>>>>> "DST":
> >>>
> >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
> >>>>>>> "ID":
> >>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354",
> "DPT":
> >>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
> >>>>>>>
> >>>>>> "URGP":
> >>>
> >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
> >>>>>>> $.:
> >>>>>>> $/:
> >>>>>>>
> >>>>>>>
> >>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote:
> >>>>>>>
> >>>>>>>   RSYSLOG_DebugFormat
> >>>>>>>
> >>>>>>>    _______________________________________________
> >>>>>>>>
> >>>>>>> rsyslog mailing list
> >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>>> http://www.rsyslog.com/professional-services/
> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>>
> >>>>>> myriad
> >>>
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>>>>> DON'T LIKE THAT.
> >>>>>>>
> >>>>>>>   _______________________________________________
> >>>>>>>
> >>>>>>>  rsyslog mailing list
> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>>> http://www.rsyslog.com/professional-services/
> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>>>
> >>>>> myriad
> >>>
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>>>> DON'T LIKE THAT.
> >>>>>>
> >>>>>>   _______________________________________________
> >>>>>>
> >>>>> rsyslog mailing list
> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>>> http://www.rsyslog.com/professional-services/
> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >>>>> myriad
> >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you
> >>>>> DON'T LIKE THAT.
> >>>>>
> >>>>>   _______________________________________________
> >>>>>
> >>>> rsyslog mailing list
> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>>> http://www.rsyslog.com/professional-services/
> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>>> DON'T LIKE THAT.
> >>>>
> >>>>  _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >>> DON'T LIKE THAT.
> >>>
> >>>  _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to