El 21/12/16 a las 17:46, Rainer Gerhards escribió:
see https://github.com/rsyslog/liblognorm/pull/238
wow! that was fast!
2016-12-21 16:54 GMT+01:00 David Lang <[email protected]>:
Can you explain your ruleset where you need to store literal as a
value in the json?
I think the original thinking was that since this is a fixed value,
storing it as a variable doesn't help.
slapd [1] messages were processed in grok with the following expression:
MYEXPR ^(.*?)conn=(?<con>\d+) (fd=(?<fd>\d+)|op=(?<op>\d+))
((?<cmd>ACCEPT) from IP=%{IPORHOST:ip}|(%{WORD} )?RESULT
(?<result>.*)|%{WORD} (?<attr>attr=.*)|%{WORD:cmd}( (?<msg>.*))?)
The relevant part of that is that messages can have 5 formats:
ACCEPT from IP=...
FOO RESULT... # FOO can be different words
RESULT...
BAR attr=... # BAR can be different words
FOOBAR anything # FOOBAR can be different words
# anything is the rest (not one of the above)
And with that grok we were indexing them "properly"...
[1] http://www.openldap.org/software/man.cgi?query=slapd
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
