when troubleshooting things like this, create a rule file that is as
minimal as you can get and parse with the -v option, it will show you
what it's doing as it walks through the line.
I don't see how it parsed each message. Perhaps a debug option must be
enabled?
number of tree nodes: 20
liblognorm: COMPONENT: @apache
liblognorm: subDAG 0x7f97bae1a650 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN': called 0
liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b050 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b180 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'ident': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'ident': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b3e0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b610 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'user': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'user': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b780 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': ' [': called 0
liblognorm: field type 'literal', name '(null)': ' [':
liblognorm: subDAG 0x7f97bae1b820 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'char-to', name 'date': 'UNKNOWN': called 0
liblognorm: field type 'char-to', name 'date': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1bc30 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': '] "': called 0
liblognorm: field type 'literal', name '(null)': '] "':
liblognorm: subDAG 0x7f97bae1bdc0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'method': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'method': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c050 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c3c0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'char-to', name 'request': 'UNKNOWN': called 0
liblognorm: field type 'char-to', name 'request': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c530 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': ' HTTP/': called 0
liblognorm: field type 'literal', name '(null)': ' HTTP/':
liblognorm: subDAG 0x7f97bae1cbd0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'float', name 'httpversion': 'UNKNOWN': called 0
liblognorm: field type 'float', name 'httpversion': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1cd50 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': '"': called 0
liblognorm: field type 'literal', name '(null)': '"':
liblognorm: subDAG 0x7f97bae1cf90 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d200 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'number', name 'response': 'UNKNOWN': called 0
liblognorm: field type 'number', name 'response': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d350 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d6e0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'bytes': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'bytes': 'UNKNOWN':
liblognorm: subDAG [TERM] 0x7f97bae1da80 (children: 0 parsers, ref
1) [called 0, backtracked 0]
liblognorm: MAIN COMPONENT:
liblognorm: subDAG 0x7f97bae190a0 (children: 0 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: MAIN COMPONENT (alternative):
liblognorm: 0x7f97bae190a0[ref 1]:
To normalize: '127.0.0.1 - - [17/Mar/2016:18:06:58 +0100] "GET
/redacted HTTP/1.1" 200 62957'
liblognorm: 0: enter parser, dag node 0x7f97bae190a0, json
0x7f97bae1ba20
liblognorm: offs 0, strLen 102, isTerm 0
liblognorm: 0 returns -1000, pParsedTo 0, parsedTo 0
liblognorm: final result for normalizer: parsedTo 0, endNode (nil)
liblognorm: DONE, final return is -1000
normalized: '{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58
+0100] \"GET \/redacted HTTP\/1.1\" 200 62957", "unparsed-data":
"127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted
HTTP\/1.1\" 200 62957" }'
{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET
\/redacted HTTP\/1.1\" 200 62957", "unparsed-data": "127.0.0.1 - -
[17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted HTTP\/1.1\" 200 62957" }
liblognorm: exitCtx 0x7f97bae19010
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
