+1 for collecting rules in a git-repo. For debugging parsing-errors, here is what I generally do:
action(type="mmnormalize" ruleBase="/etc/rsyslog.d/foo.rulebase" path="$.bar") And then dump $.bar directly in target payload instead of dereferencing keys from it selectively. This helps because in case of errors in parsing-rules, or for missed corner-cases, it publishes special keys called unparsed-fragment (or something similar) and original-message. When you don't see what you expect(actual fields with values), you can just search all objects having original-message key and look at unparsed fragment in one shot. On Tue, Feb 10, 2015 at 5:31 PM, Rainer Gerhards <[email protected]> wrote: > 2015-02-10 12:57 GMT+01:00 David Lang <[email protected]>: > > > On Tue, 10 Feb 2015, Rainer Gerhards wrote: > > > > 2015-02-07 2:21 GMT+01:00 Champ Clark III <[email protected]>: > >> > >> > >>> On the phone thus slow typing and only posting now to select issues: I > >>>> currently think doing rules in a github repo would probably be the > best > >>>> > >>> way > >>> > >>>> today. The wiki was good in 2010 (maybe not even then...). > >>>> > >>> > >>> > >>> That would be great. I know that starting a repo has come up several > >>> times > >>> in the past. > >>> > >>> I have some liblognorm rules from Sagan that I'd be more than happy to > >>> put > >>> into the repo. If you look > >>> at https://github.com/beave/sagan-rules, any file that ends with a > >>> .rulebase is for liblognorm. > >>> > >>> > >>> For example: > >>> > >>> > >>> https://raw.githubusercontent.com/beave/sagan-rules/master/ > >>> cisco-normalize.rulebase > >>> > >>> > >>> that looks quite good! > >> > >> I also have finally setup a repository: > >> > >> https://github.com/rsyslog/liblognorm-rulebases/tree/master > >> > >> Note that it has a place both for sample as well as rulebases, so log > >> sample contributions can also go into it (in the long term, it would be > >> great to have a kind of automatic check that a rulebase really matches a > >> sample...). > >> > >> I haven't copied over the Sagan files yet, as I try to keep everything > >> under ASL 2.0. Also, if someone suggests a better license to use, just > let > >> me know. I wanted a pretty liberal one. Maybe 2-clause BSD is even > better. > >> Now it's easy to change, later on it'll become a nightmare. So make > >> yourself heard :-) > >> > > > > I do like the 2-clause BSD for this. > > > Thanks, I guess so it's better to go that direction, especially... > > > > While in theory it has the drawback that commercial entities could take > > what we do, make it part of a product, and give nothing back, > > > I would really have no problems with that. It's not nice, but I think it is > more important to try to reach sufficient momentum for liblognorm and > chances are good that at least something will be given back by way of > promoting the technology. Of course, one can construct cases where all of > this is hidden, but... do we really need to care ;) > > > > > I don't think there is a license that could prevent that without being > > scary enough to management/legal types that they aren't willing to use > the > > results internally. > > > > So if we can't prevent abuse, let's simplify the legalities to the bare > > minumum > > > > > > remember IANAL > > > > Remember that these are snippets of config files, and they can be used > > independently or with what are effectively include statements. It's > really > > ugly > > to try and argue that one file is a derivitive of another when the only > > connection is that they are both included from a third. > > > > > > In fact, I think arguments could be made that a large part of what is in > > the config files is not protectable by copyright (being that it's > > functional, and there's not much variation on how to do it other than > > naming the variables, and functional isn't protectable by copyright, and > if > > you can't separate out the functional parts, you can loose protection of > > the whole thing) > > > > > > And even if this worst case happens, the liblognormalize code that is > > doing the processing is not BSD, and if a company does try to make the > > configs part of a closed product, they would still have to deal with that > > issue, which is very clear. Anyone trying to do this would almost > certinly > > end up providing fixes (either as code or as financing for a license to > the > > ASL code) to assist everyone. > > > yup > > Rainer > > > > > > > David Lang > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Regards, Janmejay http://codehunk.wordpress.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
