2015-10-25 10:52 GMT+01:00 mike _ <[email protected]>: > On 24 October 2015 at 00:18, David Lang <[email protected]> wrote: >> to troubleshoot this sort of thing, write a log file with what you are going >> to have mmnormalize look at (%msg% or %rawmsg% by default), and then test >> your ruleset manually with >> >> /usr/lib/lognorm/lognormalizer -r <rulebase file> >> >> add -v to get the gory details about what's happening (warning, don't try to >> do this with a large config, extract just the part you're testing) >> >> in your case, you don't specify rawmsg, so make a template that's just >> "%msg%\n" and output your logs with that. Then you can test things. >> >> David Lang > > OK, that's helpful in that it makes me realise I think I've written > the sshd.rb rulebase to match on %rawmsg% and then I'm feeding it > %msg% so nothing will match. But unfortunately it doesn't help me any > more than that. Maybe it should, and would if I understood more about > how rsyslog works, but it doesn't. I still can't get what I want > working at all. > > > I'm honestly not entirely sure what questions to even ask but I'm > going to try two: > > > 1] If a log event is passed through mmnormalize and doesn't match any > of the rules, should it still get recorded somewhere? I would really > really appreciate an answer to that because I cannot find an answer > anywhere. I have experiences which indicate that the log event is > still recorded if it doesn't match any rules, but then I also see that > introducing mmnormalize with a rulebase that nothing matches to the > default ruleset means that nothing at all gets logged.
It is still recorded somewhere, but that of course depends on how you have setup the full system. With the config excerpt from your initial posting, it should forward them. > > > 2] I want to pass everything that comes in to rsyslog from imjournal > through mmnormalize. Some of the events will match stuff in the > rulebase, most of them won't. I then want everything to go to to a > remote host in JSON and also have everything go in to the various > files under /var/log/ as specified in the default /etc/rsyslogd.conf. > Is this actually viable? very normal use case > > > > I have have sending the content of a specified file, /var/log/fail2ban > (the fail2ban logtarget) going through mmnormalize then to the remote > host in JSON working. I have the default ruleset sending everything > from imjournal to remote host in JSON plus files in /var/log/ working, > but when I try to get mmnormalize involved in that get no output > anywhere and I have no idea why. > I suggest to post your full debug log, then we could probably see what is going on. Rainer > thanks, > > mike > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
