On Wed, 7 Dec 2016, [email protected] wrote:

when troubleshooting things like this, create a rule file that is as minimal as you can get and parse with the -v option, it will show you what it's doing as it walks through the line.

I don't see how it parsed each message. Perhaps a debug option must be enabled?

  number of tree nodes: 20
  liblognorm: COMPONENT: @apache
  liblognorm: subDAG 0x7f97bae1a650 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN': called 0
  liblognorm: field type 'ipv4', name 'ip': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1b050 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1b180 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'word', name 'ident': 'UNKNOWN': called 0
  liblognorm: field type 'word', name 'ident': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1b3e0 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1b610 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'word', name 'user': 'UNKNOWN': called 0
  liblognorm: field type 'word', name 'user': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1b780 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'literal', name '(null)': ' [': called 0
  liblognorm: field type 'literal', name '(null)': ' [':
  liblognorm: subDAG 0x7f97bae1b820 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'char-to', name 'date': 'UNKNOWN': called 0
  liblognorm: field type 'char-to', name 'date': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1bc30 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'literal', name '(null)': '] "': called 0
  liblognorm: field type 'literal', name '(null)': '] "':
  liblognorm: subDAG 0x7f97bae1bdc0 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'word', name 'method': 'UNKNOWN': called 0
  liblognorm: field type 'word', name 'method': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1c050 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1c3c0 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'char-to', name 'request': 'UNKNOWN': called 0
  liblognorm: field type 'char-to', name 'request': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1c530 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'literal', name '(null)': ' HTTP/': called 0
  liblognorm: field type 'literal', name '(null)': ' HTTP/':
  liblognorm: subDAG 0x7f97bae1cbd0 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'float', name 'httpversion': 'UNKNOWN': called 0
  liblognorm: field type 'float', name 'httpversion': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1cd50 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'literal', name '(null)': '"': called 0
  liblognorm: field type 'literal', name '(null)': '"':
  liblognorm: subDAG 0x7f97bae1cf90 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1d200 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'number', name 'response': 'UNKNOWN': called 0
  liblognorm: field type 'number', name 'response': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1d350 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN': called 0
  liblognorm: field type 'whitespace', name '(null)': 'UNKNOWN':
  liblognorm: subDAG 0x7f97bae1d6e0 (children: 1 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: field type 'word', name 'bytes': 'UNKNOWN': called 0
  liblognorm: field type 'word', name 'bytes': 'UNKNOWN':
  liblognorm: subDAG [TERM] 0x7f97bae1da80 (children: 0 parsers, ref
  1) [called 0, backtracked 0]
  liblognorm: MAIN COMPONENT:
  liblognorm: subDAG 0x7f97bae190a0 (children: 0 parsers, ref 1)
  [called 0, backtracked 0]
  liblognorm: MAIN COMPONENT (alternative):
  liblognorm: 0x7f97bae190a0[ref 1]:

everything before this is setup. what does the test rulefile look like?

  To normalize: '127.0.0.1 - - [17/Mar/2016:18:06:58 +0100] "GET
  /redacted HTTP/1.1" 200 62957'
  liblognorm: 0: enter parser, dag node 0x7f97bae190a0, json
  0x7f97bae1ba20
  liblognorm: offs 0, strLen 102, isTerm 0
  liblognorm: 0 returns -1000, pParsedTo 0, parsedTo 0
  liblognorm: final result for normalizer: parsedTo 0, endNode (nil)

this is the section to watch, you should see each step along the way be tested and parsedTo march along the line. It looks like this doesn't work the same for user defined types, try creating a ruleset where you have the definition for the type as a rule instead of a type.

  liblognorm: DONE, final return is -1000
  normalized: '{ "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58
  +0100] \"GET \/redacted HTTP\/1.1\" 200 62957", "unparsed-data":
  "127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted
  HTTP\/1.1\" 200 62957" }'
  { "originalmsg": "127.0.0.1 - - [17\/Mar\/2016:18:06:58 +0100] \"GET
  \/redacted HTTP\/1.1\" 200 62957", "unparsed-data": "127.0.0.1 - -
  [17\/Mar\/2016:18:06:58 +0100] \"GET \/redacted HTTP\/1.1\" 200 62957" }
  liblognorm: exitCtx 0x7f97bae19010

This is a different result than what you had earlier. IIRC, earlier unparsed-data = ""

That means that some other rule in your file was used.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to