On Mon, 19 Nov 2018, Peter Viskup via rsyslog wrote:
It is for the first time I am working with liblognorm.
Read the documentation for lognorm1, but still not sure how to write
mmnormalize rules for optional parts of syslog message.
The base is RFC5424 message with modified structured-data.
Special SD-ELEMENT [syslogTimes@123456 relay-ip="timestamp-rfc3339"
...] added to the end of structured-data. Every relay add it's own
relay-ip with timestamp to this element.
I would suggest not trying to parse this structured data with mmnormalize, let
the rfc5424 parser parse it.
On some relay's this SD-ELEMENT needs to be removed. Will this rule
work as expected?
prefix=<%-:number%>%-:number% %-:date-rfc5424% %-:word% %-:word%
%-:number% %-:word%
rule=%orig-sd:string-to:[syslogTimes@123456 % %time-sd:string-to: ]% %-:rest%
How to reference the 'orig-sd' value in template afterwards?
log the message with the template RSYSLOG_DebugFormat and you will see the $!
variable tree, with orig-sd under it, you would access it with $!orig-sd
Is lognorm2 making this easier to implement?
lognorm2 changes the parsers a little bit and is far more efficient, you really
should use it by default, for backwards compatibility we support the lognorm1
parsers, but that's really just to avoid breaking existing configs.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
