On Mon, Nov 19, 2018 at 9:29 PM David Lang <[email protected]> wrote:
>
> On Mon, 19 Nov 2018, Peter Viskup via rsyslog wrote:
>
> > Special SD-ELEMENT [syslogTimes@123456 relay-ip="timestamp-rfc3339"
> > ...] added to the end of structured-data. Every relay add it's own
> > relay-ip with timestamp to this element.
>
> I would suggest not trying to parse this structured data with mmnormalize, let
> the rfc5424 parser parse it.
The rfc5424 parser provide this string:
STRUCTURED-DATA: '[syslogTimes@123456
10.x.y.z="2018-11-20T07:55:03.832066+01:00"]'
but I would like to cover the case with other SD-ELEMENTS and removal
only the syslogTimes.
e.g.
STRUCTURED-DATA: '[element1@123456 key1="value1"
key2="value2"][syslogTimes@123456
10.x.y.z="2018-11-20T07:55:03.832066+01:00"]'
>
> > On some relay's this SD-ELEMENT needs to be removed. Will this rule
> > work as expected?
> >
> > prefix=<%-:number%>%-:number% %-:date-rfc5424% %-:word% %-:word%
> > %-:number% %-:word%
> > rule=%orig-sd:string-to:[syslogTimes@123456 % %time-sd:string-to: ]%
> > %-:rest%
> >
> > How to reference the 'orig-sd' value in template afterwards?
>
> log the message with the template RSYSLOG_DebugFormat and you will see the $!
> variable tree, with orig-sd under it, you would access it with $!orig-sd
The rule is not parsing the message as expected. In debug there are
only values in $!:
$!:{ "originalmsg": "pam_unix(sudo:session): session closed for user
root", "unparsed-data": "pam_unix(sudo:session): session closed for
user root" }
rawmsg looks like this (all message parts are parsed by rfc5424
without any issue):
inputname: imtcp rawmsg: '<86>1 2018-11-20T07:55:03.832066+01:00
hostname_10.x.y.z sudo - - [syslogTimes@123456
10.x.y.z="2018-11-20T07:55:03.832066+01:00"] pam_unix(sudo:session):
session closed for user root'
Peter
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
