Is there a way I can turn on more debug around the mmnormalize functions?
Although I think the mmnormalize parsing of iptables is working correctly
because I do see the values I want in the Rsyslog_debug format output for
$!,  I just can use them in a template with any of my current attempts.

On Sun, Oct 26, 2014 at 4:10 PM, Todd Mortensen <[email protected]>
wrote:

> In the debug output I do not see any of the mmnormalize parsed values,
> only references to SRC are from my templates.
>
> On Sun, Oct 26, 2014 at 9:06 AM, Rainer Gerhards <[email protected]
> > wrote:
>
>> Yeah that is waht i was looking for. On the phone though i do not see
>> access to SRC...
>>
>> Sent from phone, thus brief.
>> Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>:
>>
>> > Sure,  the lines I have been posting so far are from the
>> > RSYSLOG_DebugFormat output.   Are you looking for the output from these
>> > options ?
>> >
>> > $DebugFile /var/log/rsyslog.debug.log
>> > $DebugLevel 2
>> >
>> > I have attached a full run from start to stop with a telnet test to
>> > generate the iptables line.   I telnet to port 45678 so that is what I
>> > search for.
>> >
>> > On 10/26/2014 08:32 AM, Rainer Gerhards wrote:
>> >
>> >> Can you create a debug log?
>> >>
>> >> Sent from phone, thus brief.
>> >> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>:
>> >>
>> >>  Switching to path=$!norm does move the values to what one would think
>> is
>> >>> the proper place,   yet I still can not use any permutation in a
>> >>> template.
>> >>>
>> >>> Here is the full debug output showing the !norm is correct now.
>> >>>
>> >>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC":
>> >>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
>> "DST":
>> >>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>> >>> "ID":
>> >>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT":
>> >>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
>> "URGP":
>> >>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz":
>> >>> "testvalueyyy" }
>> >>>
>> >>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote:
>> >>>
>> >>>  silly thought, try $!src in case there is a capitalization oddity
>> going
>> >>>>
>> >>> on
>> >>>
>> >>>> here.
>> >>>>
>> >>>> the path should hvae been $!norm not !norm, but I don't think that's
>> >>>> your
>> >>>> problem.
>> >>>>
>> >>>> The fact that setting testzzz put the variable where it does in the
>> >>>> debug
>> >>>> output also says that it should just be $!SRC
>> >>>>
>> >>>> David Lang
>> >>>>
>> >>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>> >>>>
>> >>>>   Date: Sat, 25 Oct 2014 20:08:07 -0700
>> >>>>
>> >>>>> From: Todd Mortensen <[email protected]>
>> >>>>> Reply-To: rsyslog-users <[email protected]>
>> >>>>> To: rsyslog-users <[email protected]>
>> >>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the
>> parsed
>> >>>>> values
>> >>>>>
>> >>>>>
>> >>>>> I have tested and can set and print a test variable.   I tried
>> %$!!SRC%
>> >>>>>
>> >>>> no
>> >>>
>> >>>> luck.
>> >>>>>
>> >>>>> I added a path to the mmnormalize call, it added an empty norm {}
>> to $!
>> >>>>> but
>> >>>>> the mmnormalized items are not in it.
>> >>>>>
>> >>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm"
>> >>>>> ruleBase="/etc/rsyslog.d/normalize.rb")}
>> >>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC%
>> >>>>> and
>> >>>>> test is %$!testzzz% \n")
>> >>>>> if $parsesuccess == "OK" then{
>> >>>>> action(type="omfile" file="/var/log/parsed.log"
>> template="testFormat")
>> >>>>> action(type="omfile" file="/var/log/parsed.debug.log"
>> >>>>> template="RSYSLOG_DebugFormat")
>> >>>>> }
>> >>>>>
>> >>>>>
>> >>>>> parsed.log output
>> >>>>> src is  and test is testvalueyyy
>> >>>>>
>> >>>>> parsed.debug.log outout
>> >>>>>
>> >>>>> Debug line with all properties:
>> >>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
>> 'localhost',
>> >>>>> PRI: 4,
>> >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
>> PROCID:
>> >>>>> '-', MSGID: '-',
>> >>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-',
>> >>>>> msg: '[41418450.088091] Denied: IN=lo OUT=
>> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>
>> >>>> DST=127.0.0.1
>> >>>
>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>> >>>>>
>> >>>> DPT=45678
>> >>>
>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT=
>> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>
>> >>>> DST=127.0.0.1
>> >>>
>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>> >>>>>
>> >>>> DPT=45678
>> >>>
>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT=
>> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>
>> >>>> DST=127.0.0.1
>> >>>
>> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607
>> >>>>>
>> >>>> DPT=45678
>> >>>
>> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
>> >>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
>> >>>>> "DST":
>> >>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL":
>> "64",
>> >>>>> "ID":
>> >>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT":
>> >>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
>> >>>>> "URGP":
>> >>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz":
>> >>>>> "testvalueyyy", "norm": { } }
>> >>>>> $.:
>> >>>>> $/:
>> >>>>>
>> >>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote:
>> >>>>>
>> >>>>>   define a variable roursel and see what it looks like relative to
>> the
>> >>>>>
>> >>>>>> others
>> >>>>>>
>> >>>>>> set $!test = 'value';
>> >>>>>>
>> >>>>>> the % are only used in format statements, not in amy tests
>> >>>>>>
>> >>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a
>> >>>>>> format
>> >>>>>> statement.
>> >>>>>>
>> >>>>>> try $!!SRC on the thought that there is a top level name being lost
>> >>>>>>
>> >>>>> here.
>> >>>
>> >>>> Or try specifying a path in the action to explicitly put them under
>> >>>>>> something (say $!normalized which should result in
>> $!normalized!SRC as
>> >>>>>> the
>> >>>>>> variable name)
>> >>>>>>
>> >>>>>> David Lang
>> >>>>>>
>> >>>>>>
>> >>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote:
>> >>>>>>
>> >>>>>>   Here is the output I get from the debug format,  I have not been
>> >>>>>> able
>> >>>>>>
>> >>>>> to
>> >>>
>> >>>> find a way to represent the $! items individually though.
>> >>>>>>>
>> >>>>>>> I have tried,  %$!SRC%, %$!:SRC%, $!SRC,  %$!{SRC}
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME:
>> >>>>>>>
>> >>>>>> 'localhost',
>> >>>
>> >>>> PRI: 4,
>> >>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel',
>> >>>>>>>
>> >>>>>> PROCID:
>> >>>
>> >>>> '-', MSGID: '-',
>> >>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-',
>> >>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT=
>> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>>> DST=127.0.0.1
>> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>> >>>>>>> DPT=44444
>> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT=
>> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>>> DST=127.0.0.1
>> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>> >>>>>>> DPT=44444
>> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT=
>> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
>> >>>>>>> DST=127.0.0.1
>> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354
>> >>>>>>> DPT=44444
>> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 '
>> >>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC":
>> >>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1",
>> >>>>>>>
>> >>>>>> "DST":
>> >>>
>> >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64",
>> >>>>>>> "ID":
>> >>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354",
>> "DPT":
>> >>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]",
>> >>>>>>>
>> >>>>>> "URGP":
>> >>>
>> >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" }
>> >>>>>>> $.:
>> >>>>>>> $/:
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]>
>> wrote:
>> >>>>>>>
>> >>>>>>>   RSYSLOG_DebugFormat
>> >>>>>>>
>> >>>>>>>    _______________________________________________
>> >>>>>>>>
>> >>>>>>> rsyslog mailing list
>> >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>>>>>> http://www.rsyslog.com/professional-services/
>> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >>>>>>>
>> >>>>>> myriad
>> >>>
>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >>>>>>> DON'T LIKE THAT.
>> >>>>>>>
>> >>>>>>>   _______________________________________________
>> >>>>>>>
>> >>>>>>>  rsyslog mailing list
>> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>>>>> http://www.rsyslog.com/professional-services/
>> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >>>>>>
>> >>>>> myriad
>> >>>
>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >>>>>> DON'T LIKE THAT.
>> >>>>>>
>> >>>>>>   _______________________________________________
>> >>>>>>
>> >>>>> rsyslog mailing list
>> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>>>> http://www.rsyslog.com/professional-services/
>> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >>>>> myriad
>> >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >>>>> DON'T LIKE THAT.
>> >>>>>
>> >>>>>   _______________________________________________
>> >>>>>
>> >>>> rsyslog mailing list
>> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>>> http://www.rsyslog.com/professional-services/
>> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >>>> DON'T LIKE THAT.
>> >>>>
>> >>>>  _______________________________________________
>> >>> rsyslog mailing list
>> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>> http://www.rsyslog.com/professional-services/
>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> >>> DON'T LIKE THAT.
>> >>>
>> >>>  _______________________________________________
>> >> rsyslog mailing list
>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> >> DON'T LIKE THAT.
>> >>
>> >
>> >
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> > DON'T LIKE THAT.
>> >
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to