On Wed, 14 Dec 2016, Benoit DOLEZ wrote:
I have logs from fortigate with many variantes of 20 to 40
key[=("value"|value|)] fields separated with spaces .
It seems "iptables" is the only (old) rsyslog normalizer to parse kv strings
and, probably, it don't parse quoting values like "lognorm/string" do it.
Is there a simple method to build a $! tree from key/value string like
mmparsejson do it for json ?
if the iptables type doesn't work for your logs in the mmnormalize ruleset, then
no, there currently isn't a good way.
If none, I can make it. I think it's better to write a message modification
module than a new lognorm format. Do you agree ?
No, a new type in mmnormalize can be used for a lot more things than a dedicated
mm* module.
a dedicated mm* module will require that the entire log message be the
name-value set while a new type in liblognorm will handle that case, but also
handle cases where there is just one name-value pair inside a larger message.
note that liblognorm already has repeat, so it can handle a lot of instances of
a given type, it just needs to learn how to handle a single name-value pair. The
code to do this is mostly already there in liblognorm, it's got two issues:
1. it's not general purpose enough (no ability to specify the syntax separators)
2. it's not exposed as a user-visible type, it's just used as a subroutine for
other types.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
