Hi All,
I can't understand logic of mmnormalize module. I tell you...
I want process remote login lines as this...
Oct 18 15:51:03 pilotodns2 systemd[1]: Started Session 4951 of user root.
With this configuration..
module(load="imrelp")
input(type="imrelp" port="20514" Ruleset="Logsremotos")
template(name="all-json" type="list") { property(name="$!all-json")
constant(value="\n") }
template(name="tMyfw" type="list") {
property(name="$!usr!fecha")
constant(value=",")
property(name="$!usr!host")
property(name="$year")
property(name="$month")
property(name="$day")
constant(value="-")
property(name="$hour")
constant(value=":")
property(name="$minute")
constant(value=":")
property(name="timestamp" dateformat="rfc3339" position.from="18"
position.to="19")
constant(value=" ")
property(name="$!usr!tipo")
constant(value=" ")
property(name="$!usr!sesion")
constant(value=" ")
property(name="$!usr!usuario")
constant(value="\n")
}
# RULESETS
ruleset(name="escribelog") {
action(type="omfile" File="/var/log/sesijson" Template="all-json")
action(type="omfile" File="/var/log/sesibuena" template="tMyfw")
}
ruleset(name="Logsremotos") {
if $fromhost-ip == ['10.2.0.46','10.2.0.47'] then {
if ($msg contains "Session") then {
action(type="omfile" File="/var/log/sesibruto")
action(type="mmnormalize"
rulebase="/etc/rsyslog.d/parseprobe.rules"
)
if $parsesuccess == "OK" then {
set $!usr!fecha=$!fecha;
set $!usr!host=$!host;
set $!usr!tipo=$!tipo;
set $!usr!sesion=$!sesion;
set $!usr!usuario=$!usuario;
call escribelog
} else {
action(type="omfile" File="/var/log/jodidos")
}
}
stop
}
}
/etc/rsyslog.d/parseprobe.rules:
rule=:%fecha:date-rfc3164% %host:word% systemd[%-:number%]: %tipo:word% Session
%sesion:number% of user %usuario:word%
Rule is OK, because "lognormalizer" output extract all info in their fields
successfully:
$:/var/log
echo 'Oct 18 15:51:03 pilotodns2 systemd[1]: Started Session 4951 of user
root.' | /usr/bin/lognormalizer -r /etc/rsyslog.d/parseprobe.rules
{ "usuario": "root.", "sesion": "4951", "tipo": "Started", "host":
"pilotodns2", "fecha": "Oct 18 15:51:03" }
But, when remote host log some line, output is not correct:
$:/var/log
cat sesibruto
Oct 18 16:22:50 pilotodns2 systemd[1]: Started Session 4953 of user root.
$:/var/log
cat sesijson
{ "originalmsg": " Started Session 4953 of user root.", "unparsed-data": "
Started Session 4953 of user root.", "usr": { "fecha": "", "host": "", "tipo":
"", "sesion": "", "usuario": "" } }
$:/var/log
cat sesibuena
,20181018-16:22:50
It's obvious that I'm not considering anything.
Thanks
Best Regards,
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
