this is an interesting discussion, I'd be curious to see what people are doing to parse/normalize messages as they are coming in.
Several projects that I'm associated with tend to revolve around extrapolating properties of a message and then assigning them (typically post-receipt and generating more load.) Is anyone out there taking in raw windows, proxy, or other complex logs and breaking them apart for either simplification or volume reduction? (for example eliminating the description field of windows events while enhancing the event properties before sending on down the wire?) On Tue Dec 30 2014 at 3:20:12 PM David Lang <[email protected]> wrote: > On Tue, 30 Dec 2014, Kendall Green wrote: > > > Hello, I would like to share experience with normalization of windows > event > > logs with rsyslog and have critique of configuration for the latest > syntax > > directives and supported functions. In response to a previous message > > regarding the reparse() feature enhancement, there appears to be imminent > > refactoring of parser modules. > > parser modules are not the same as the mmnormalize rulebase, parser > modules are > applied to messages as they arrive at the rsyslog server and populate the > standard properties, mmnormalize is intended to populate other variables.. > > > Is it possible to output mmnormalize rulebase to json path and output on > > template which does not include the msg/userawmsg field? > > if you have JSON, you should use mmjsonparse to extract the variables, but > once > you have the variables parsed out, you can use them in any template. > > To give you more information, I would need a better idea of what you are > trying > to do. > > > Thank you for any recommendations or examples related to new > normalization > > modules. > > While there may be enhancements to the normalization, that is completely > separate from the parser modules (I know, it's a bit confusing) > > David Lang > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
