On 24 October 2015 at 00:18, David Lang <[email protected]> wrote: > to troubleshoot this sort of thing, write a log file with what you are going > to have mmnormalize look at (%msg% or %rawmsg% by default), and then test > your ruleset manually with > > /usr/lib/lognorm/lognormalizer -r <rulebase file> > > add -v to get the gory details about what's happening (warning, don't try to > do this with a large config, extract just the part you're testing) > > in your case, you don't specify rawmsg, so make a template that's just > "%msg%\n" and output your logs with that. Then you can test things. > > David Lang
OK, that's helpful in that it makes me realise I think I've written the sshd.rb rulebase to match on %rawmsg% and then I'm feeding it %msg% so nothing will match. But unfortunately it doesn't help me any more than that. Maybe it should, and would if I understood more about how rsyslog works, but it doesn't. I still can't get what I want working at all. I'm honestly not entirely sure what questions to even ask but I'm going to try two: 1] If a log event is passed through mmnormalize and doesn't match any of the rules, should it still get recorded somewhere? I would really really appreciate an answer to that because I cannot find an answer anywhere. I have experiences which indicate that the log event is still recorded if it doesn't match any rules, but then I also see that introducing mmnormalize with a rulebase that nothing matches to the default ruleset means that nothing at all gets logged. 2] I want to pass everything that comes in to rsyslog from imjournal through mmnormalize. Some of the events will match stuff in the rulebase, most of them won't. I then want everything to go to to a remote host in JSON and also have everything go in to the various files under /var/log/ as specified in the default /etc/rsyslogd.conf. Is this actually viable? I have have sending the content of a specified file, /var/log/fail2ban (the fail2ban logtarget) going through mmnormalize then to the remote host in JSON working. I have the default ruleset sending everything from imjournal to remote host in JSON plus files in /var/log/ working, but when I try to get mmnormalize involved in that get no output anywhere and I have no idea why. thanks, mike _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
