Re: [rsyslog] rsyslog 8.17 mmnormalizer problem and characters change

Fri, 11 Mar 2016 11:00:33 -0800 

resending as the list bounced the first try

On Thu, 10 Mar 2016, David Lang wrote:


On Fri, 11 Mar 2016, holo wrote:


Hello

I'm trying to use such .rb file to parse logs:

version=2

rule=:%Server:char-to:\t%\t%stamp:char-to:\t%\t%ip:ipv4%\t%Site:char-to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
Problem is such for strings is working only "char-to" any other like "string-to" or "rest" don't want to work. I figure out most of the things with "char-to" but still need to take everything till end of line from one point. How can i do it? Second thing is that in rsyslog 8.17 bellow settings are not working working: 
Here is my example log where my \t characters are changed:
Mar 10 10:57:35 servername log_tag servername.at.google.com#01120160310105735#01144.44.44.443#011app#011162040-1441908796007#011918408-1457625732031#0110#0110#011N#011pageview#011Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36#011deviceClass=desktop#011pageName=login#011referrer=#011clickId=#011mseg=
I set up in main configuration file such option to let known rsyslog i don't want such change:  
global (
   parser.escapeControlCharactersCStyle="off"
)
But rsyslog is still changing \t characters to #011 like you can see in log example and cos of that lognoromalizer not doing its job. How to force him to not to do it?
some parser modules force escaping of control characters. not seeing the full config it's hard to know what's happening.
I actually force the escaping and then include the #nnn values in my rulebase files. I find that works far better than letting logs get split into multiple lines and trying to run mmnormalize against the results.
Long term, this is another example of why we need an option to exempt tab from the escaping of control characters. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to