Thank you for your effort, I think thats answering my questions.
//Robert
On Wed, 2016-03-16 at 05:53 -0700, David Lang wrote:
> rest is part of only the most recent versions of liblognorm. I know
> it's in 2.0,
> I don't remember if it's in 1.13 or not.
> so you need to upgrade to at least the current version, if not the
> development
> version.
>
> David Lang
>
> On Wed, 16 Mar 2016, holo wrote:
>
> > Date: Wed, 16 Mar 2016 13:36:59 +0100
> > From: holo <[email protected]>
> > Reply-To: rsyslog-users <[email protected]>
> > To: rsyslog-users <[email protected]>
> > Subject: Re: [rsyslog] rsyslog 8.17 mmnormalizer problem and
> characters change
> >
> > Hello
> > Sorry for long not responding. I checked it with "-v" option and
> like i
> > wrote "rest" and "string-to" are not working for me. Here are
> errors:
> > liblognorm: ERROR: invalid field type 'rest'
> > and
> > liblognorm: ERROR: invalid field type 'string-to'
> > looks like they are not supported. My version of liblognorm is:
> > Installed Packages
> > Name : liblognorm
> > Arch : x86_64
> > Version : 0.3.7
> > Release : 3.el7
> > //Robert
> > On Sat, 2016-03-12 at 15:42 -0800, David Lang wrote:
> >> On Sat, 12 Mar 2016, holo wrote:
> >>
> >> > On Fri, 2016-03-11 at 11:00 -0800, David Lang wrote:
> >> >> > I actually force the escaping and then include the #nnn
> values
> >> in
> >> >> my rulebase
> >> >> > files. I find that works far better than letting logs get
> split
> >> >> into multiple
> >> >> > lines and trying to run mmnormalize against the results.
> >> > Thank you for your answer. I can do that but like i wrote
> "string-
> >> to"
> >> > and "rest" types are not working in my rulebase so i can't look
> for
> >> > "#nnn" in my logs, only characters. Why it is happening? Here is
> >> > example for "rest":
> >> > [root@logs rsyslog_workdir]# cat test.log
> >> > server.google.info 20160302045959 123.7.6.93 mweb
> >> > 862055-1456923595234 579265-1456923595235 0 0
> >> > N search Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+
> >> > (KHTML, like Gecko) Version/10.2.1.3247 Mobile Safari/537.35+ qu
> >> > ery=english referrer=http://www.bing.com/search?q=dictionary&P
> C=
> >> > RIMBINGD&A=results class="Apple-tab-span" style="white-
> space:pre">
> >> > pageName=dic origin= mseg=89 deviceClass=mobile
> >> > [root@logs rsyslog_workdir]# cat test.log|lognormalizer -r
> test.rb
> >> -e
> >> > json
> >> > {"originalmsg":
> >> > "server.google.info\t20160302045959\t123.7.6.93\tmweb\t862055-
> >> > 1456923595234\t579265-
> 1456923595235\t0\t0\tN\tsearch\tMozilla/5.0
> >> > (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko)
> >> > Version/10.2.1.3247 Mobile
> >> Safari/537.35+\tquery=english\treferrer=http
> >> > ://www.bing.com/search?q=dictionary&PC=RIMBINGD&A=results\tpageN
> ame
> >> =dic
> >> > \torigin=\tmseg=89\tdeviceClass=mobile", "unparsed-data":
> >> > "query=english\treferrer=http://www.bing.com/search?q=dictionary
> &PC
> >> =RIM
> >> >
> >>
> BINGD&A=results\tpageName=dic\torigin=\tmseg=89\tdeviceClass=mobile"}
> >> > [root@logs rsyslog_workdir]# cat test.rb
> >> > version=2
> >> > rule=:%Server:char-to:\t%\t%stamp:char-
> >> to:\t%\t%ip:ipv4%\t%Site:char-
> >> > to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-
> >> > to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-
> >> > to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
> >> > [root@logs rsyslog_workdir]#
> >>
> >> Ok, here you have disabled the escaping of characters, so you have
> >> tabs in your
> >> log messages.
> >>
> >> if you look at the message, it is parsing things up until the
> query.
> >> which is
> >> your rest item. I would want to run this with -v to make sure that
> it
> >> really is
> >> parsing all the data that it looks like it does, and then see what
> it
> >> complains
> >> about not matching when it gets down to the end.
> >>
> >> If you did have the escaping enabled, you would change \t to #011
> in
> >> the rules,
> >> and you would have to use string-to instead of char-to in the
> rules.
> >>
> >> David Lang
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
