On Tue, 30 Dec 2014, Kendall Green wrote:
Hello, I would like to share experience with normalization of windows event logs with rsyslog and have critique of configuration for the latest syntax directives and supported functions. In response to a previous message regarding the reparse() feature enhancement, there appears to be imminent refactoring of parser modules.
parser modules are not the same as the mmnormalize rulebase, parser modules are applied to messages as they arrive at the rsyslog server and populate the standard properties, mmnormalize is intended to populate other variables..
Is it possible to output mmnormalize rulebase to json path and output on template which does not include the msg/userawmsg field?
if you have JSON, you should use mmjsonparse to extract the variables, but once you have the variables parsed out, you can use them in any template.
To give you more information, I would need a better idea of what you are trying to do.
Thank you for any recommendations or examples related to new normalization modules.
While there may be enhancements to the normalization, that is completely separate from the parser modules (I know, it's a bit confusing)
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
