On Sun, 25 Oct 2015, mike _ wrote:
On 24 October 2015 at 00:18, David Lang <[email protected]> wrote:
to troubleshoot this sort of thing, write a log file with what you are going
to have mmnormalize look at (%msg% or %rawmsg% by default), and then test
your ruleset manually with
/usr/lib/lognorm/lognormalizer -r <rulebase file>
add -v to get the gory details about what's happening (warning, don't try to
do this with a large config, extract just the part you're testing)
in your case, you don't specify rawmsg, so make a template that's just
"%msg%\n" and output your logs with that. Then you can test things.
David Lang
OK, that's helpful in that it makes me realise I think I've written
the sshd.rb rulebase to match on %rawmsg% and then I'm feeding it
%msg% so nothing will match. But unfortunately it doesn't help me any
more than that. Maybe it should, and would if I understood more about
how rsyslog works, but it doesn't. I still can't get what I want
working at all.
I'm honestly not entirely sure what questions to even ask but I'm
going to try two:
1] If a log event is passed through mmnormalize and doesn't match any
of the rules, should it still get recorded somewhere? I would really
really appreciate an answer to that because I cannot find an answer
anywhere. I have experiences which indicate that the log event is
still recorded if it doesn't match any rules, but then I also see that
introducing mmnormalize with a rulebase that nothing matches to the
default ruleset means that nothing at all gets logged.
the log event doesn't get thrown away unless you explicitly tell rysslog to do
so with 'stop' or '~' (or just don't have any rules that match the log and
trigger writign it out)
mmnormalize doesn't change anything. If something doesn't match anything in the
mmnormalize rules, it creates the 'original-msg' and 'unparsed'data' variiables
instead.
to understand what's happening, look at the debugformat output before and after
the mmnormalize call.
2] I want to pass everything that comes in to rsyslog from imjournal
through mmnormalize. Some of the events will match stuff in the
rulebase, most of them won't. I then want everything to go to to a
remote host in JSON and also have everything go in to the various
files under /var/log/ as specified in the default /etc/rsyslogd.conf.
Is this actually viable?
yes. I hvae by leaf relay nodes collect everything, parse it if it's JSON and
send everything on to the central server as JSON.
I have have sending the content of a specified file, /var/log/fail2ban
(the fail2ban logtarget) going through mmnormalize then to the remote
host in JSON working. I have the default ruleset sending everything
from imjournal to remote host in JSON plus files in /var/log/ working,
but when I try to get mmnormalize involved in that get no output
anywhere and I have no idea why.
if adding the mmnormalize call causes you to get no output anywhere, then you
probably added a syntax error
run
rysyslogd -N2
and see what it reports.
David Lang
thanks,
mike
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
