Hello
Sorry for long not responding. I checked it with "-v" option and like i
wrote "rest" and "string-to" are not working for me. Here are errors:
liblognorm: ERROR: invalid field type 'rest'
and
liblognorm: ERROR: invalid field type 'string-to'
looks like they are not supported. My version of liblognorm is:
Installed Packages
Name : liblognorm
Arch : x86_64
Version : 0.3.7
Release : 3.el7
//Robert
On Sat, 2016-03-12 at 15:42 -0800, David Lang wrote:
> On Sat, 12 Mar 2016, holo wrote:
>
> > On Fri, 2016-03-11 at 11:00 -0800, David Lang wrote:
> >> > I actually force the escaping and then include the #nnn values
> in
> >> my rulebase
> >> > files. I find that works far better than letting logs get split
> >> into multiple
> >> > lines and trying to run mmnormalize against the results.
> > Thank you for your answer. I can do that but like i wrote "string-
> to"
> > and "rest" types are not working in my rulebase so i can't look for
> > "#nnn" in my logs, only characters. Why it is happening? Here is
> > example for "rest":
> > [root@logs rsyslog_workdir]# cat test.log
> > server.google.info 20160302045959 123.7.6.93 mweb
> > 862055-1456923595234 579265-1456923595235 0 0
> > N search Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+
> > (KHTML, like Gecko) Version/10.2.1.3247 Mobile Safari/537.35+ qu
> > ery=english referrer=http://www.bing.com/search?q=dictionary&PC=
> > RIMBINGD&A=results class="Apple-tab-span" style="white-space:pre">
> > pageName=dic origin= mseg=89 deviceClass=mobile
> > [root@logs rsyslog_workdir]# cat test.log|lognormalizer -r test.rb
> -e
> > json
> > {"originalmsg":
> > "server.google.info\t20160302045959\t123.7.6.93\tmweb\t862055-
> > 1456923595234\t579265-1456923595235\t0\t0\tN\tsearch\tMozilla/5.0
> > (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko)
> > Version/10.2.1.3247 Mobile
> Safari/537.35+\tquery=english\treferrer=http
> > ://www.bing.com/search?q=dictionary&PC=RIMBINGD&A=results\tpageName
> =dic
> > \torigin=\tmseg=89\tdeviceClass=mobile", "unparsed-data":
> > "query=english\treferrer=http://www.bing.com/search?q=dictionary&PC
> =RIM
> >
> BINGD&A=results\tpageName=dic\torigin=\tmseg=89\tdeviceClass=mobile"}
> > [root@logs rsyslog_workdir]# cat test.rb
> > version=2
> > rule=:%Server:char-to:\t%\t%stamp:char-
> to:\t%\t%ip:ipv4%\t%Site:char-
> > to:\t%\t%BID:char-to:\t%\t%SID:char-to:\t%\t%LD:char-
> > to:\t%\t%UserID:char-to:\t%\t%logged:char-to:\t%\t%event:char-
> > to:\t%\t%User_Agent:char-to:\t%\t%Parameters:rest%
> > [root@logs rsyslog_workdir]#
>
> Ok, here you have disabled the escaping of characters, so you have
> tabs in your
> log messages.
>
> if you look at the message, it is parsing things up until the query.
> which is
> your rest item. I would want to run this with -v to make sure that it
> really is
> parsing all the data that it looks like it does, and then see what it
> complains
> about not matching when it gets down to the end.
>
> If you did have the escaping enabled, you would change \t to #011 in
> the rules,
> and you would have to use string-to instead of char-to in the rules.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
