Ok, Muchas gracias ;-) I thought default value of "useRawMsg" was "on" :-(
Sorry Best Regards, El 18/10/18 a las 17:05, Rainer Gerhards escribió: > Hola Alberto, > > El jue., 18 oct. 2018 a las 16:57, Alberto Alvarez Retuerto > (<alberto.alva...@acens.com>) escribió: >> Sorry, I answer myself. >> >> mmnormalize is processing "msg" only, and not "date", "tag" or >> "hostname" fields. > actually you can specify what mmnormalize parses. "msg" is just the > default. See: > > https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html > > For example, you could set useRawMsg="on" to parse "rawmsg". > > HTH > Rainer >> Regards, >> >> >> El 18/10/18 a las 16:38, Alberto Alvarez Retuerto escribió: >>> Hi All, >>> >>> I can't understand logic of mmnormalize module. I tell you... >>> >>> I want process remote login lines as this... >>> >>> Oct 18 15:51:03 pilotodns2 systemd[1]: Started Session 4951 of user root. >>> >>> With this configuration.. >>> >>> module(load="imrelp") >>> input(type="imrelp" port="20514" Ruleset="Logsremotos") >>> >>> template(name="all-json" type="list") { property(name="$!all-json") >>> constant(value="\n") } >>> template(name="tMyfw" type="list") { >>> property(name="$!usr!fecha") >>> constant(value=",") >>> property(name="$!usr!host") >>> property(name="$year") >>> property(name="$month") >>> property(name="$day") >>> constant(value="-") >>> property(name="$hour") >>> constant(value=":") >>> property(name="$minute") >>> constant(value=":") >>> property(name="timestamp" dateformat="rfc3339" position.from="18" >>> position.to="19") >>> constant(value=" ") >>> property(name="$!usr!tipo") >>> constant(value=" ") >>> property(name="$!usr!sesion") >>> constant(value=" ") >>> property(name="$!usr!usuario") >>> constant(value="\n") >>> } >>> >>> # RULESETS >>> ruleset(name="escribelog") { >>> action(type="omfile" File="/var/log/sesijson" Template="all-json") >>> action(type="omfile" File="/var/log/sesibuena" template="tMyfw") >>> } >>> >>> ruleset(name="Logsremotos") { >>> if $fromhost-ip == ['10.2.0.46','10.2.0.47'] then { >>> if ($msg contains "Session") then { >>> action(type="omfile" File="/var/log/sesibruto") >>> action(type="mmnormalize" >>> rulebase="/etc/rsyslog.d/parseprobe.rules" >>> ) >>> if $parsesuccess == "OK" then { >>> set $!usr!fecha=$!fecha; >>> set $!usr!host=$!host; >>> set $!usr!tipo=$!tipo; >>> set $!usr!sesion=$!sesion; >>> set $!usr!usuario=$!usuario; >>> call escribelog >>> } else { >>> action(type="omfile" >>> File="/var/log/jodidos") >>> } >>> } >>> stop >>> } >>> } >>> >>> /etc/rsyslog.d/parseprobe.rules: >>> >>> rule=:%fecha:date-rfc3164% %host:word% systemd[%-:number%]: %tipo:word% >>> Session %sesion:number% of user %usuario:word% >>> >>> Rule is OK, because "lognormalizer" output extract all info in their fields >>> successfully: >>> >>> $:/var/log >>> echo 'Oct 18 15:51:03 pilotodns2 systemd[1]: Started Session 4951 of user >>> root.' | /usr/bin/lognormalizer -r /etc/rsyslog.d/parseprobe.rules >>> >>> { "usuario": "root.", "sesion": "4951", "tipo": "Started", "host": >>> "pilotodns2", "fecha": "Oct 18 15:51:03" } >>> >>> But, when remote host log some line, output is not correct: >>> >>> $:/var/log >>> cat sesibruto >>> Oct 18 16:22:50 pilotodns2 systemd[1]: Started Session 4953 of user root. >>> $:/var/log >>> cat sesijson >>> { "originalmsg": " Started Session 4953 of user root.", "unparsed-data": " >>> Started Session 4953 of user root.", "usr": { "fecha": "", "host": "", >>> "tipo": "", "sesion": "", "usuario": "" } } >>> $:/var/log >>> cat sesibuena >>> ,20181018-16:22:50 >>> >>> It's obvious that I'm not considering anything. >>> >>> Thanks >>> >>> Best Regards, >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
