Tried re-ordering it? Put the one with /port first? Yes, rest must get atleast one char to succeed. I'll create some new tests without rest-capture (and see what fails).
On Thu, Mar 12, 2015 at 1:09 AM, David Lang <[email protected]> wrote: > I just upgraded to liblognorm 1.1.1 (unfortunantly I didn't get a chance to > compile it myself and test it earlier) > > I ran into two problems > > first, %last:rest% does not match if there is nothing left on the line > > i.e. a line that ends with an IP address will not match > rule=:%ip:ipv4%%last:rest% > > secondly, liblognorm is selecting the rule that matches the least amount of > the message. > > so with these two rules > > rule=:%ip:ipv4%%last:rest% > rule=:%ip:ipv4%/%port:number%%last:rest% > > 192.168.1.1/5 will get matched by the first rule, with '/5' in last, even > though the second rule would match it. If I remove the first rule, the > second rule does match and the parse succeeds. > > David Lang > > > On Fri, 6 Feb 2015, David Lang wrote: > >> While I'm working to build packages of this to test with, what happens if >> you descend into a ruleset like the following >> >> rule=:%ip:ipv4%%last:rest% >> rule=:%ip:ipv4%/%port:number%%last:rest% >> >> will it work to find the match that has the least left in last? >> >> David Lang >> >> >> On Fri, 6 Feb 2015, singh.janmejay wrote: >> >>> It's going to be in the coming release, just master build for now. >>> >>> -- >>> Regards, >>> Janmejay >>> >>> PS: Please blame the typos in this mail on my phone's uncivilized soft >>> keyboard sporting it's not-so-smart-assist technology. >>> >>> On Feb 6, 2015 6:37 AM, "David Lang" <[email protected]> wrote: >>> >>>> On Wed, 4 Feb 2015, singh.janmejay wrote: >>>> >>>> On Wed, Feb 4, 2015 at 6:22 PM, David Lang <[email protected]> wrote: >>>>> >>>>> >>>>> On Wed, 4 Feb 2015, singh.janmejay wrote: >>>>>> >>>>>> >>>>>> On Wed, Feb 4, 2015 at 7:17 AM, David Lang <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>>> >>>>>>>> Field type 'descent' does this, but not exactly in the same way. >>>>>>> >>>>>>> >>>>>>> >>>>>> does it? I understood it to just be calling another ruleset on the >>>>>> whole >>>>>> line (doc problem again) >>>>>> >>>>>> >>>>> It allows field to identify how remaining-text should be returned, >>>>> which >>>>> allows it to be parsed by remaining part of the rule which the field >>>>> belongs to. >>>>> >>>>> Here is a test which uses something similar to what you are trying to >>>>> do: >>>>> https://github.com/rsyslog/liblognorm/blob/master/tests/ >>>>> field_tokenized_recursive.sh#L41 >>>>> >>>>> (check 41 to EOF) >>>>> >>>> >>>> This looks like it may do this, but it looks like it's not in the >>>> release >>>> yet. I'll have to compile from scratch. >>>> >>>> David Lang >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>>> DON'T LIKE THAT. >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. -- Regards, Janmejay http://codehunk.wordpress.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
