On Thu, 12 Mar 2015, singh.janmejay wrote:
Tried re-ordering it? Put the one with /port first?
no, lognorm rules are not supposed to be order dependent, so I didn't try that
(especially after finding things failing to parse with rsyslog that worked
manually)
Yes, rest must get atleast one char to succeed. I'll create some new
tests without rest-capture (and see what fails).
Ok, this can be worked around (but it's a bit ugly), any reason why rest has to
get at least one character?
David Lang
On Thu, Mar 12, 2015 at 1:09 AM, David Lang <[email protected]> wrote:
I just upgraded to liblognorm 1.1.1 (unfortunantly I didn't get a chance to
compile it myself and test it earlier)
I ran into two problems
first, %last:rest% does not match if there is nothing left on the line
i.e. a line that ends with an IP address will not match
rule=:%ip:ipv4%%last:rest%
secondly, liblognorm is selecting the rule that matches the least amount of
the message.
so with these two rules
rule=:%ip:ipv4%%last:rest%
rule=:%ip:ipv4%/%port:number%%last:rest%
192.168.1.1/5 will get matched by the first rule, with '/5' in last, even
though the second rule would match it. If I remove the first rule, the
second rule does match and the parse succeeds.
David Lang
On Fri, 6 Feb 2015, David Lang wrote:
While I'm working to build packages of this to test with, what happens if
you descend into a ruleset like the following
rule=:%ip:ipv4%%last:rest%
rule=:%ip:ipv4%/%port:number%%last:rest%
will it work to find the match that has the least left in last?
David Lang
On Fri, 6 Feb 2015, singh.janmejay wrote:
It's going to be in the coming release, just master build for now.
--
Regards,
Janmejay
PS: Please blame the typos in this mail on my phone's uncivilized soft
keyboard sporting it's not-so-smart-assist technology.
On Feb 6, 2015 6:37 AM, "David Lang" <[email protected]> wrote:
On Wed, 4 Feb 2015, singh.janmejay wrote:
On Wed, Feb 4, 2015 at 6:22 PM, David Lang <[email protected]> wrote:
On Wed, 4 Feb 2015, singh.janmejay wrote:
On Wed, Feb 4, 2015 at 7:17 AM, David Lang <[email protected]> wrote:
Field type 'descent' does this, but not exactly in the same way.
does it? I understood it to just be calling another ruleset on the
whole
line (doc problem again)
It allows field to identify how remaining-text should be returned,
which
allows it to be parsed by remaining part of the rule which the field
belongs to.
Here is a test which uses something similar to what you are trying to
do:
https://github.com/rsyslog/liblognorm/blob/master/tests/
field_tokenized_recursive.sh#L41
(check 41 to EOF)
This looks like it may do this, but it looks like it's not in the
release
yet. I'll have to compile from scratch.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
