Is there a way I can turn on more debug around the mmnormalize functions? Although I think the mmnormalize parsing of iptables is working correctly because I do see the values I want in the Rsyslog_debug format output for $!, I just can use them in a template with any of my current attempts.
On Sun, Oct 26, 2014 at 4:10 PM, Todd Mortensen <[email protected]> wrote: > In the debug output I do not see any of the mmnormalize parsed values, > only references to SRC are from my templates. > > On Sun, Oct 26, 2014 at 9:06 AM, Rainer Gerhards <[email protected] > > wrote: > >> Yeah that is waht i was looking for. On the phone though i do not see >> access to SRC... >> >> Sent from phone, thus brief. >> Am 26.10.2014 16:51 schrieb "Todd Mortensen" <[email protected]>: >> >> > Sure, the lines I have been posting so far are from the >> > RSYSLOG_DebugFormat output. Are you looking for the output from these >> > options ? >> > >> > $DebugFile /var/log/rsyslog.debug.log >> > $DebugLevel 2 >> > >> > I have attached a full run from start to stop with a telnet test to >> > generate the iptables line. I telnet to port 45678 so that is what I >> > search for. >> > >> > On 10/26/2014 08:32 AM, Rainer Gerhards wrote: >> > >> >> Can you create a debug log? >> >> >> >> Sent from phone, thus brief. >> >> Am 26.10.2014 16:27 schrieb "Todd Mortensen" <[email protected]>: >> >> >> >> Switching to path=$!norm does move the values to what one would think >> is >> >>> the proper place, yet I still can not use any permutation in a >> >>> template. >> >>> >> >>> Here is the full debug output showing the !norm is correct now. >> >>> >> >>> $!:{ "norm": { "IN": "lo", "OUT": "", "MAC": >> >>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", >> "DST": >> >>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", >> >>> "ID": >> >>> "62894", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34951", "DPT": >> >>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", >> "URGP": >> >>> "0", "": "[*PRESENT*]", "kerntime": "[41463095.356057]" }, "testzzz": >> >>> "testvalueyyy" } >> >>> >> >>> On Sat, Oct 25, 2014 at 9:36 PM, David Lang <[email protected]> wrote: >> >>> >> >>> silly thought, try $!src in case there is a capitalization oddity >> going >> >>>> >> >>> on >> >>> >> >>>> here. >> >>>> >> >>>> the path should hvae been $!norm not !norm, but I don't think that's >> >>>> your >> >>>> problem. >> >>>> >> >>>> The fact that setting testzzz put the variable where it does in the >> >>>> debug >> >>>> output also says that it should just be $!SRC >> >>>> >> >>>> David Lang >> >>>> >> >>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: >> >>>> >> >>>> Date: Sat, 25 Oct 2014 20:08:07 -0700 >> >>>> >> >>>>> From: Todd Mortensen <[email protected]> >> >>>>> Reply-To: rsyslog-users <[email protected]> >> >>>>> To: rsyslog-users <[email protected]> >> >>>>> Subject: Re: [rsyslog] mmnormalize and iptables, help using the >> parsed >> >>>>> values >> >>>>> >> >>>>> >> >>>>> I have tested and can set and print a test variable. I tried >> %$!!SRC% >> >>>>> >> >>>> no >> >>> >> >>>> luck. >> >>>>> >> >>>>> I added a path to the mmnormalize call, it added an empty norm {} >> to $! >> >>>>> but >> >>>>> the mmnormalized items are not in it. >> >>>>> >> >>>>> *.* {action(type="mmnormalize" UseRawMsg="on" path="!norm" >> >>>>> ruleBase="/etc/rsyslog.d/normalize.rb")} >> >>>>> template(name="testFormat" type="string" string="src is %$!norm!SRC% >> >>>>> and >> >>>>> test is %$!testzzz% \n") >> >>>>> if $parsesuccess == "OK" then{ >> >>>>> action(type="omfile" file="/var/log/parsed.log" >> template="testFormat") >> >>>>> action(type="omfile" file="/var/log/parsed.debug.log" >> >>>>> template="RSYSLOG_DebugFormat") >> >>>>> } >> >>>>> >> >>>>> >> >>>>> parsed.log output >> >>>>> src is and test is testvalueyyy >> >>>>> >> >>>>> parsed.debug.log outout >> >>>>> >> >>>>> Debug line with all properties: >> >>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: >> 'localhost', >> >>>>> PRI: 4, >> >>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', >> PROCID: >> >>>>> '-', MSGID: '-', >> >>>>> TIMESTAMP: 'Oct 25 20:01:31', STRUCTURED-DATA: '-', >> >>>>> msg: '[41418450.088091] Denied: IN=lo OUT= >> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>> >> >>>> DST=127.0.0.1 >> >>> >> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >> >>>>> >> >>>> DPT=45678 >> >>> >> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>> escaped msg: '[41418450.088091] Denied: IN=lo OUT= >> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>> >> >>>> DST=127.0.0.1 >> >>> >> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >> >>>>> >> >>>> DPT=45678 >> >>> >> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>> inputname: imklog rawmsg: '[41418450.088091] Denied: IN=lo OUT= >> >>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>> >> >>>> DST=127.0.0.1 >> >>> >> >>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=18808 DF PROTO=TCP SPT=34607 >> >>>>> >> >>>> DPT=45678 >> >>> >> >>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>> $!:{ "IN": "lo", "OUT": "", "MAC": >> >>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", >> >>>>> "DST": >> >>>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": >> "64", >> >>>>> "ID": >> >>>>> "18808", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "34607", "DPT": >> >>>>> "45678", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", >> >>>>> "URGP": >> >>>>> "0", "": "[*PRESENT*]", "kerntime": "[41418450.088091]", "testzzz": >> >>>>> "testvalueyyy", "norm": { } } >> >>>>> $.: >> >>>>> $/: >> >>>>> >> >>>>> On Sat, Oct 25, 2014 at 7:24 PM, David Lang <[email protected]> wrote: >> >>>>> >> >>>>> define a variable roursel and see what it looks like relative to >> the >> >>>>> >> >>>>>> others >> >>>>>> >> >>>>>> set $!test = 'value'; >> >>>>>> >> >>>>>> the % are only used in format statements, not in amy tests >> >>>>>> >> >>>>>> I would expect that $!SRC would be right in a test and %$!SRC% in a >> >>>>>> format >> >>>>>> statement. >> >>>>>> >> >>>>>> try $!!SRC on the thought that there is a top level name being lost >> >>>>>> >> >>>>> here. >> >>> >> >>>> Or try specifying a path in the action to explicitly put them under >> >>>>>> something (say $!normalized which should result in >> $!normalized!SRC as >> >>>>>> the >> >>>>>> variable name) >> >>>>>> >> >>>>>> David Lang >> >>>>>> >> >>>>>> >> >>>>>> On Sat, 25 Oct 2014, Todd Mortensen wrote: >> >>>>>> >> >>>>>> Here is the output I get from the debug format, I have not been >> >>>>>> able >> >>>>>> >> >>>>> to >> >>> >> >>>> find a way to represent the $! items individually though. >> >>>>>>> >> >>>>>>> I have tried, %$!SRC%, %$!:SRC%, $!SRC, %$!{SRC} >> >>>>>>> >> >>>>>>> >> >>>>>>> FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: >> >>>>>>> >> >>>>>> 'localhost', >> >>> >> >>>> PRI: 4, >> >>>>>>> syslogtag 'kernel:', programname: 'kernel', APP-NAME: 'kernel', >> >>>>>>> >> >>>>>> PROCID: >> >>> >> >>>> '-', MSGID: '-', >> >>>>>>> TIMESTAMP: 'Oct 25 16:03:11', STRUCTURED-DATA: '-', >> >>>>>>> msg: '[41404150.744046] Denied: IN=lo OUT= >> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>>>> DST=127.0.0.1 >> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >> >>>>>>> DPT=44444 >> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>>>> escaped msg: '[41404150.744046] Denied: IN=lo OUT= >> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>>>> DST=127.0.0.1 >> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >> >>>>>>> DPT=44444 >> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>>>> inputname: imklog rawmsg: '[41404150.744046] Denied: IN=lo OUT= >> >>>>>>> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 >> >>>>>>> DST=127.0.0.1 >> >>>>>>> LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42494 DF PROTO=TCP SPT=48354 >> >>>>>>> DPT=44444 >> >>>>>>> WINDOW=32792 RES=0x00 SYN URGP=0 ' >> >>>>>>> $!:{ "IN": "lo", "OUT": "", "MAC": >> >>>>>>> "00:00:00:00:00:00:00:00:00:00:00:00:08:00", "SRC": "127.0.0.1", >> >>>>>>> >> >>>>>> "DST": >> >>> >> >>>> "127.0.0.1", "LEN": "60", "TOS": "0x10", "PREC": "0x00", "TTL": "64", >> >>>>>>> "ID": >> >>>>>>> "42494", "DF": "[*PRESENT*]", "PROTO": "TCP", "SPT": "48354", >> "DPT": >> >>>>>>> "44444", "WINDOW": "32792", "RES": "0x00", "SYN": "[*PRESENT*]", >> >>>>>>> >> >>>>>> "URGP": >> >>> >> >>>> "0", "": "[*PRESENT*]", "kerntime": "[41404150.744046]" } >> >>>>>>> $.: >> >>>>>>> $/: >> >>>>>>> >> >>>>>>> >> >>>>>>> On Sat, Oct 25, 2014 at 1:10 PM, David Lang <[email protected]> >> wrote: >> >>>>>>> >> >>>>>>> RSYSLOG_DebugFormat >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>>> >> >>>>>>> rsyslog mailing list >> >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>>>> http://www.rsyslog.com/professional-services/ >> >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> >>>>>>> >> >>>>>> myriad >> >>> >> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you >> >>>>>>> DON'T LIKE THAT. >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> >> >>>>>>> rsyslog mailing list >> >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>>> http://www.rsyslog.com/professional-services/ >> >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> >>>>>> >> >>>>> myriad >> >>> >> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you >> >>>>>> DON'T LIKE THAT. >> >>>>>> >> >>>>>> _______________________________________________ >> >>>>>> >> >>>>> rsyslog mailing list >> >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>>> http://www.rsyslog.com/professional-services/ >> >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> >>>>> myriad >> >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you >> >>>>> DON'T LIKE THAT. >> >>>>> >> >>>>> _______________________________________________ >> >>>>> >> >>>> rsyslog mailing list >> >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>>> http://www.rsyslog.com/professional-services/ >> >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >> you >> >>>> DON'T LIKE THAT. >> >>>> >> >>>> _______________________________________________ >> >>> rsyslog mailing list >> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >>> http://www.rsyslog.com/professional-services/ >> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> >>> DON'T LIKE THAT. >> >>> >> >>> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com/professional-services/ >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> >> DON'T LIKE THAT. >> >> >> > >> > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> > DON'T LIKE THAT. >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

