In the debug output I do not see any of the mmnormalize parsed values, only references to SRC are from my templates.
On Sun, Oct 26, 2014 at 9:06 AM, Rainer Gerhards <[email protected]> wrote: > Yeah that is waht i was looking for. On the phone though i do not see > access to SRC... > > Sent from phone, thus brief. > Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>: > > > Sure, the lines I have been posting so far are from the > > RSYSLOG_DebugFormat output. Are you looking for the output from these > > options ? > > > > $DebugFile /var/log/rsyslog.debug.log > > $DebugLevel 2 > > > > I have attached a full run from start to stop with a telnet test to > > generate the iptables line. I telnet to port 45678 so that is what I > > search for. > > > > On 10/26/2014 08:32 AM, Rainer Gerhards wrote: > > > >> Can you create a debug log? > >> > >> Sent from phone, thus brief. > >> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>: > >> > >> Switching to path=$!norm does move the values to what one would think > is > >>> the proper place, yet I still can not use any permutation in a > >>> template. > >>> > >>> Here is the full debug output showing the !norm is correct now. > >>> > >>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC": > >>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", "DST": > >>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", > >>> "ID": > >>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT": > >>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", > "URGP": > >>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz": > >>> "testvalueyyy" } > >>> > >>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote: > >>> > >>> silly thought, try $!src in case there is a capitalization oddity > going > >>>> > >>> on > >>> > >>>> here. > >>>> > >>>> the path should hvae been $!norm not !norm, but I don't think that's > >>>> your > >>>> problem. > >>>> > >>>> The fact that setting testzzz put the variable where it does in the > >>>> debug > >>>> output also says that it should just be $!SRC > >>>> > >>>> David Lang > >>>> > >>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: > >>>> > >>>> Date: Sat, 25 Oct 2014 20:08:07 -0700 > >>>> > >>>>> From: Todd Mortensen <[email protected]> > >>>>> Reply-To: rsyslog-users <[email protected]> > >>>>> To: rsyslog-users <[email protected]> > >>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the > parsed > >>>>> values > >>>>> > >>>>> > >>>>> I have tested and can set and print a test variable. I tried > %$!!SRC% > >>>>> > >>>> no > >>> > >>>> luck. > >>>>> > >>>>> I added a path to the mmnormalize call, it added an empty norm {} to > $! > >>>>> but > >>>>> the mmnormalized items are not in it. > >>>>> > >>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm" > >>>>> ruleBase="/etc/rsyslog.d/normalize.rb")} > >>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC% > >>>>> and > >>>>> test is %$!testzzz% \n") > >>>>> if $parsesuccess == "OK" then{ > >>>>> action(type="omfile" file="/var/log/parsed.log" > template="testFormat") > >>>>> action(type="omfile" file="/var/log/parsed.debug.log" > >>>>> template="RSYSLOG_DebugFormat") > >>>>> } > >>>>> > >>>>> > >>>>> parsed.log output > >>>>> src is and test is testvalueyyy > >>>>> > >>>>> parsed.debug.log outout > >>>>> > >>>>> Debug line with all properties: > >>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: > 'localhost', > >>>>> PRI: 4, > >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > PROCID: > >>>>> '-', MSGID: '-', > >>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-', > >>>>> msg: '[41418450.088091] Denied: IN=lo OUT= > >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>> > >>>> DST=127.0.0.1 > >>> > >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 > >>>>> > >>>> DPT=45678 > >>> > >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT= > >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>> > >>>> DST=127.0.0.1 > >>> > >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 > >>>>> > >>>> DPT=45678 > >>> > >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT= > >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>> > >>>> DST=127.0.0.1 > >>> > >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 > >>>>> > >>>> DPT=45678 > >>> > >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>> $!:{ "IN": "lo", "OUT": "", "MAC": > >>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", > >>>>> "DST": > >>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", > >>>>> "ID": > >>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT": > >>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", > >>>>> "URGP": > >>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz": > >>>>> "testvalueyyy", "norm": { } } > >>>>> $.: > >>>>> $/: > >>>>> > >>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote: > >>>>> > >>>>> define a variable roursel and see what it looks like relative to > the > >>>>> > >>>>>> others > >>>>>> > >>>>>> set $!test = 'value'; > >>>>>> > >>>>>> the % are only used in format statements, not in amy tests > >>>>>> > >>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a > >>>>>> format > >>>>>> statement. > >>>>>> > >>>>>> try $!!SRC on the thought that there is a top level name being lost > >>>>>> > >>>>> here. > >>> > >>>> Or try specifying a path in the action to explicitly put them under > >>>>>> something (say $!normalized which should result in $!normalized!SRC > as > >>>>>> the > >>>>>> variable name) > >>>>>> > >>>>>> David Lang > >>>>>> > >>>>>> > >>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: > >>>>>> > >>>>>> Here is the output I get from the debug format, I have not been > >>>>>> able > >>>>>> > >>>>> to > >>> > >>>> find a way to represent the $! items individually though. > >>>>>>> > >>>>>>> I have tried, %$!SRC%, %$!:SRC%, $!SRC, %$!{SRC} > >>>>>>> > >>>>>>> > >>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: > >>>>>>> > >>>>>> 'localhost', > >>> > >>>> PRI: 4, > >>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', > >>>>>>> > >>>>>> PROCID: > >>> > >>>> '-', MSGID: '-', > >>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-', > >>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT= > >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>>>> DST=127.0.0.1 > >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 > >>>>>>> DPT=44444 > >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT= > >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>>>> DST=127.0.0.1 > >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 > >>>>>>> DPT=44444 > >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT= > >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > >>>>>>> DST=127.0.0.1 > >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 > >>>>>>> DPT=44444 > >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' > >>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC": > >>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", > >>>>>>> > >>>>>> "DST": > >>> > >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", > >>>>>>> "ID": > >>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", > "DPT": > >>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", > >>>>>>> > >>>>>> "URGP": > >>> > >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" } > >>>>>>> $.: > >>>>>>> $/: > >>>>>>> > >>>>>>> > >>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> wrote: > >>>>>>> > >>>>>>> RSYSLOG_DebugFormat > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>>> > >>>>>>> rsyslog mailing list > >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>>> > >>>>>> myriad > >>> > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>>> DON'T LIKE THAT. > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> > >>>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>> > >>>>> myriad > >>> > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE THAT. > >>>>>> > >>>>>> _______________________________________________ > >>>>>> > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>> myriad > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >>>>> DON'T LIKE THAT. > >>>>> > >>>>> _______________________________________________ > >>>>> > >>>> rsyslog mailing list > >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>> DON'T LIKE THAT. > >>>> > >>>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >>> > >>> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

