On Sat, 12 Mar 2016, holo wrote:
On Fri, 2016-03-11 at 11:00 -0800, David Lang wrote:
> I actually force the escaping and then include the #nnn values in
my rulebase
> files. I find that works far better than letting logs get split
into multiple
> lines and trying to run mmnormalize against the results.
Thank you for your answer. I can do that but like i wrote "string-to"
and "rest" types are not working in my rulebase so i can't look for
"#nnn" in my logs, only characters. Why it is happening? Here is
example for "rest":
[root@logs rsyslog_workdir]# cat test.log
server.google.info 20160302045959 123.7.6.93 mweb
862055-1456923595234 579265-1456923595235 0 0
N search Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+
(KHTML, like Gecko) Version/10.2.1.3247 Mobile Safari/537.35+ qu
ery=english referrer=http://www.bing.com/search?q=dictionary&PC=
RIMBINGD&A=results class="Apple-tab-span" style="white-space:pre">
pageName=dic origin= mseg=89 deviceClass=mobile
[root@logs rsyslog_workdir]# cat test.log|lognormalizer -r test.rb -e
json
{"originalmsg":
"server.google.info\t20160302045959\t123.7.6.93\tmweb\t862055-
1456923595234\t579265-1456923595235\t0\t0\tN\tsearch\tMozilla/5.0
(BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko)
Version/10.2.1.3247 Mobile Safari/537.35+\tquery=english\treferrer=http
://www.bing.com/search?q=dictionary&PC=RIMBINGD&A=results\tpageName=dic
\torigin=\tmseg=89\tdeviceClass=mobile", "unparsed-data":
"query=english\treferrer=http://www.bing.com/search?q=dictionary&PC=RIM
BINGD&A=results\tpageName=dic\torigin=\tmseg=89\tdeviceClass=mobile"}
[root@logs rsyslog_workdir]# cat test.rb
version=2
rule=:%Server:char-to:\t%\t%stamp:char-to:\t%\t%ip:ipv4%\t%Site:char-
to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-
to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-
to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
[root@logs rsyslog_workdir]#
Ok, here you have disabled the escaping of characters, so you have tabs in your
log messages.
if you look at the message, it is parsing things up until the query. which is
your rest item. I would want to run this with -v to make sure that it really is
parsing all the data that it looks like it does, and then see what it complains
about not matching when it gets down to the end.
If you did have the escaping enabled, you would change \t to #011 in the rules,
and you would have to use string-to instead of char-to in the rules.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
