On Wed, 7 Dec 2016, [email protected] wrote:
when troubleshooting things like this, create a rule file that is as
minimal as you can get and parse with the -v option, it will show you what
it's doing as it walks through the line.
I don't see how it parsed each message. Perhaps a debug option must be
enabled?
number of tree nodes: 20
liblognorm: COMPONENT: @apache
liblognorm: subDAG 0x7f97bae1a650 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN': called 0
liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b050 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b180 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'ident': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'ident': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b3e0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b610 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'user': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'user': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1b780 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': ' [': called 0
liblognorm: field type 'literal', name '(null)': ' [':
liblognorm: subDAG 0x7f97bae1b820 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'char-to', name 'date': 'UNKNOWN': called 0
liblognorm: field type 'char-to', name 'date': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1bc30 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': '] "': called 0
liblognorm: field type 'literal', name '(null)': '] "':
liblognorm: subDAG 0x7f97bae1bdc0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'method': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'method': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c050 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c3c0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'char-to', name 'request': 'UNKNOWN': called 0
liblognorm: field type 'char-to', name 'request': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1c530 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': ' HTTP/': called 0
liblognorm: field type 'literal', name '(null)': ' HTTP/':
liblognorm: subDAG 0x7f97bae1cbd0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'float', name 'httpversion': 'UNKNOWN': called 0
liblognorm: field type 'float', name 'httpversion': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1cd50 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'literal', name '(null)': '"': called 0
liblognorm: field type 'literal', name '(null)': '"':
liblognorm: subDAG 0x7f97bae1cf90 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d200 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'number', name 'response': 'UNKNOWN': called 0
liblognorm: field type 'number', name 'response': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d350 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
liblognorm: subDAG 0x7f97bae1d6e0 (children: 1 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: field type 'word', name 'bytes': 'UNKNOWN': called 0
liblognorm: field type 'word', name 'bytes': 'UNKNOWN':
liblognorm: subDAG [TERM] 0x7f97bae1da80 (children: 0 parsers, ref
1) [called 0, backtracked 0]
liblognorm: MAIN COMPONENT:
liblognorm: subDAG 0x7f97bae190a0 (children: 0 parsers, ref 1)
[called 0, backtracked 0]
liblognorm: MAIN COMPONENT (alternative):
liblognorm: 0x7f97bae190a0[ref 1]:
everything before this is setup. what does the test rulefile look like?
To normalize: '127.0.0.1 - - [17/Mar/2016:18:06:58 +0100] "GET
/redacted HTTP/1.1" 200 62957'
liblognorm: 0: enter parser, dag node 0x7f97bae190a0, json
0x7f97bae1ba20
liblognorm: offs 0, strLen 102, isTerm 0
liblognorm: 0 returns -1000, pParsedTo 0, parsedTo 0
liblognorm: final result for normalizer: parsedTo 0, endNode (nil)
this is the section to watch, you should see each step along the way be tested
and parsedTo march along the line. It looks like this doesn't work the same for
user defined types, try creating a ruleset where you have the definition for the
type as a rule instead of a type.
liblognorm: DONE, final return is -1000
normalized: '{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58
+0100] \"GET \/redacted HTTP\/1.1\" 200 62957", "unparsed-data":
"127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted
HTTP\/1.1\" 200 62957" }'
{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET
\/redacted HTTP\/1.1\" 200 62957", "unparsed-data": "127.0.0.1 - -
[17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted HTTP\/1.1\" 200 62957" }
liblognorm: exitCtx 0x7f97bae19010
This is a different result than what you had earlier. IIRC, earlier
unparsed-data = ""
That means that some other rule in your file was used.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.