Re: [rsyslog] rsyslog 8.17 mmnormalizer problem and characters change

Sat, 12 Mar 2016 04:29:34 -0800 

On Fri, 2016-03-11 at 11:00 -0800, David Lang wrote:
> > I actually force the escaping and then include the #nnn values in
> my rulebase 
> > files. I find that works far better than letting logs get split
> into multiple 
> > lines and trying to run mmnormalize against the results.
Thank you for your answer. I can do that but like i wrote "string-to"
and "rest" types are not working in my rulebase so i can't look for
"#nnn" in my logs, only characters. Why it is happening? Here is
example for "rest":
[root@logs rsyslog_workdir]# cat test.log 
server.google.info      20160302045959  123.7.6.93      mweb    
862055-1456923595234    579265-1456923595235    0       0       
N       search  Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+
(KHTML, like Gecko) Version/10.2.1.3247 Mobile Safari/537.35+   qu
ery=english     referrer=http://www.bing.com/search?q=dictionary&PC=
RIMBINGD&A=results class="Apple-tab-span" style="white-space:pre">
        pageName=dic    origin= mseg=89 deviceClass=mobile
[root@logs rsyslog_workdir]# cat test.log|lognormalizer -r test.rb -e
json
{"originalmsg":
"server.google.info\t20160302045959\t123.7.6.93\tmweb\t862055-
1456923595234\t579265-1456923595235\t0\t0\tN\tsearch\tMozilla/5.0
(BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko)
Version/10.2.1.3247 Mobile Safari/537.35+\tquery=english\treferrer=http
://www.bing.com/search?q=dictionary&PC=RIMBINGD&A=results\tpageName=dic
\torigin=\tmseg=89\tdeviceClass=mobile", "unparsed-data":
"query=english\treferrer=http://www.bing.com/search?q=dictionary&PC=RIM
BINGD&A=results\tpageName=dic\torigin=\tmseg=89\tdeviceClass=mobile"}
[root@logs rsyslog_workdir]# cat test.rb 
version=2
rule=:%Server:char-to:\t%\t%stamp:char-to:\t%\t%ip:ipv4%\t%Site:char-
to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-
to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-
to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
[root@logs rsyslog_workdir]# 
//Robert
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to