I forgot:
With provided rule file...why I'm getting a bunch of this errors when
using /usr/lib/lognorm/lognormalizer?
{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:15:31 +0100] \"GET
\/redacted\/page HTTP\/1.1\" 200 1234", "unparsed-data": "" }
El 05/12/16 a las 15:41, mosto...@gmail.com escribió:
Hi
Coming back to liblognorm, I have a few questions I'll love an expert
reply. 0:D
*- Documentation [1] states how to define a type, but not how to use
it. Are we properly using defined type "apache" in the configuration
below?*
- Apache access log seem to have 2 formats: common and combined [2]
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif
HTTP/1.0" 200 2326
127.0.0.1 - - [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif
HTTP/1.0" 200 2326 "referrer" "useragent"
*How should we define our rulesets to have /optional/ fields?
- Our current workaround is to have a defined type and use it as part
of a longer rule. Is that ok?*
*- How could we define logic to set a filed to "0" when content is
"-"? (bytes field)*
type=@apache:%[
{"type":"ipv4", "name":"ip"},
{"type":"literal", "text":" "},
{"type":"word", "name":"ident"},
{"type":"literal", "text":" "},
{"type":"word", "name":"user"},
{"type":"literal", "text":" ["},
{"type":"char-to", "name":"date", "extradata":"]"},
{"type":"literal", "text":"] \""},
{"type":"word", "name":"method"},
{"type":"literal", "text":" "},
{"type":"char-to", "name":"request", "extradata":" "},
{"type":"literal", "text":" HTTP/"},
{"type":"float", "name":"httpversion"},
{"type":"literal", "text":"\" "},
{"type":"number", "name":"response"},
{"type":"literal", "text":" "},
{"type":"number", "name":"bytes"}
]%
rule=access:%[
{"type":"@apache"},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"referrer", "extradata":"\""},
{"type":"literal", "text":"\""},
{"type":"char-to", "name":"useragent", "extradata":"\""}
]%
rule=access:%@apache%
[1] http://www.liblognorm.com/files/manual/configuration.html
[2] https://httpd.apache.org/docs/2.4/logs.html#accesslog
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.