I started with the example here:
https://github.com/rsyslog/liblognorm-rulebases/blob/master/rules/v2/apache_common.rb
and attempted to modify it like so:
rule=login_intruder_ip:%[
{"type": "date-iso", "name": "datestamp"},
{"type": "whitespace"},
{"type": "time-24hr", "name": "timestamp"},
{"type": "whitespace"},
{"type": "word", "name": "event"},
{"type": "whitespace"},
{"type": "ipv4", "name": "ip"},
{"type": "whitespace"},
{"type": "word", "name": "auth"}
]%
I call myself following the directions from this page:
http://www.liblognorm.com/files/manual/configuration.html
which indicate that "name" should be omitted for whitespace field types.
I receive this error:
rsyslogd: liblognorm error: rulebase file test-log-patterns.rb[55]:
invalid record type detected: ']%' [v8.33.1 try
http://www.rsyslog.com/e/2427 ]
I have another rule which looks like this:
rule=login_intruder_user:%[
{"type": "date-iso", "name": "datestamp"},
{"type": "whitespace"},
{"type": "time-24hr", "name": "timestamp"},
{"type": "whitespace"},
{"type": "word", "name": "event"},
{"type": "whitespace"},
{"type": "ipv4", "name": "ip" },
{"type": "word", "name": "auth"},
{"type": "rest", "name": "blob", "priority": 65535}
]%
No errors are given for this rule. I feel like I'm overlooking something
obvious with the login_intruder_ip rule.
Can anyone spot what I'm doing wrong?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
