rest is part of only the most recent versions of liblognorm. I know it's in 2.0,
I don't remember if it's in 1.13 or not.
so you need to upgrade to at least the current version, if not the development
version.
David Lang
On Wed, 16 Mar 2016, holo wrote:
Date: Wed, 16 Mar 2016 13:36:59 +0100
From: holo <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] rsyslog 8.17 mmnormalizer problem and characters change
Hello
Sorry for long not responding. I checked it with "-v" option and like i
wrote "rest" and "string-to" are not working for me. Here are errors:
liblognorm: ERROR: invalid field type 'rest'
and
liblognorm: ERROR: invalid field type 'string-to'
looks like they are not supported. My version of liblognorm is:
Installed Packages
Name : liblognorm
Arch : x86_64
Version : 0.3.7
Release : 3.el7
//Robert
On Sat, 2016-03-12 at 15:42 -0800, David Lang wrote:
On Sat, 12 Mar 2016, holo wrote:
> On Fri, 2016-03-11 at 11:00 -0800, David Lang wrote:
>> > I actually force the escaping and then include the #nnn values
in
>> my rulebase
>> > files. I find that works far better than letting logs get split
>> into multiple
>> > lines and trying to run mmnormalize against the results.
> Thank you for your answer. I can do that but like i wrote "string-
to"
> and "rest" types are not working in my rulebase so i can't look for
> "#nnn" in my logs, only characters. Why it is happening? Here is
> example for "rest":
> [root@logs rsyslog_workdir]# cat test.log
> server.google.info 20160302045959 123.7.6.93 mweb
> 862055-1456923595234 579265-1456923595235 0 0
> N search Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+
> (KHTML, like Gecko) Version/10.2.1.3247 Mobile Safari/537.35+ qu
> ery=english referrer=http://www.bing.com/search?q=dictionary&PC=
> RIMBINGD&A=results class="Apple-tab-span" style="white-space:pre">
> pageName=dic origin= mseg=89 deviceClass=mobile
> [root@logs rsyslog_workdir]# cat test.log|lognormalizer -r test.rb
-e
> json
> {"originalmsg":
> "server.google.info\t20160302045959\t123.7.6.93\tmweb\t862055-
> 1456923595234\t579265-1456923595235\t0\t0\tN\tsearch\tMozilla/5.0
> (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko)
> Version/10.2.1.3247 Mobile
Safari/537.35+\tquery=english\treferrer=http
> ://www.bing.com/search?q=dictionary&PC=RIMBINGD&A=results\tpageName
=dic
> \torigin=\tmseg=89\tdeviceClass=mobile", "unparsed-data":
> "query=english\treferrer=http://www.bing.com/search?q=dictionary&PC
=RIM
>
BINGD&A=results\tpageName=dic\torigin=\tmseg=89\tdeviceClass=mobile"}
> [root@logs rsyslog_workdir]# cat test.rb
> version=2
> rule=:%Server:char-to:\t%\t%stamp:char-
to:\t%\t%ip:ipv4%\t%Site:char-
> to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-
> to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-
> to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
> [root@logs rsyslog_workdir]#
Ok, here you have disabled the escaping of characters, so you have
tabs in your
log messages.
if you look at the message, it is parsing things up until the query.
which is
your rest item. I would want to run this with -v to make sure that it
really is
parsing all the data that it looks like it does, and then see what it
complains
about not matching when it gets down to the end.
If you did have the escaping enabled, you would change \t to #011 in
the rules,
and you would have to use string-to instead of char-to in the rules.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
