Very interesting ...
There is a type in liblognorm 'name-value-list' that do what I want! It
works except for quoted string ...
This is the patch for supporting quoted strings :
https://github.com/rsyslog/liblognorm/commit/090e2d2889d0fd6cab97b561414388e273c5484a
Now my parser is :
----------------------------------
version=2
rule=test:%[
{"type": "name-value-list"}
]%
----------------------------------
Are you ok ? Do you want a pull request ?
Regards
Benoit
Le 14/12/2016 à 22:44, Benoit DOLEZ a écrit :
Ok. Thanks. I'll give you some news in a few days ...
I've just seen liblognorm sources and I saw "iptables" parser has been
renamed "v2-iptables" in "version=2" mode. Many people have questions
about problems with iptables parser that doesn't work ... this is the
probable reason.
Benoit
Le 14/12/2016 à 14:07, David Lang a écrit :
On Wed, 14 Dec 2016, Benoit DOLEZ wrote:
I have logs from fortigate with many variantes of 20 to 40
key[=("value"|value|)] fields separated with spaces .
It seems "iptables" is the only (old) rsyslog normalizer to parse kv
strings and, probably, it don't parse quoting values like
"lognorm/string" do it.
Is there a simple method to build a $! tree from key/value string like
mmparsejson do it for json ?
if the iptables type doesn't work for your logs in the mmnormalize
ruleset, then no, there currently isn't a good way.
If none, I can make it. I think it's better to write a message
modification module than a new lognorm format. Do you agree ?
No, a new type in mmnormalize can be used for a lot more things than a
dedicated mm* module.
a dedicated mm* module will require that the entire log message be the
name-value set while a new type in liblognorm will handle that case, but
also handle cases where there is just one name-value pair inside a
larger message.
note that liblognorm already has repeat, so it can handle a lot of
instances of a given type, it just needs to learn how to handle a single
name-value pair. The code to do this is mostly already there in
liblognorm, it's got two issues:
1. it's not general purpose enough (no ability to specify the syntax
separators)
2. it's not exposed as a user-visible type, it's just used as a
subroutine for other types.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
--
Benoit DOLEZ, POM Monitoring, http://www.pom-monitoring.com/
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
