Hi, I am trying to get mmnormalize work with examples given in liblognorm documentation <https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst#json>. Using lognormaizer <http://www.liblognorm.com/files/manual/lognormalizer.html> tool I found that the rulebase and parsing is working as expected.
I tried to use the parsed text in my template to compose an output. According to this recipe example <https://www.rsyslog.com/log-normalization-for-different-formats/> the text is stored in "usr" subtree and can be accessed using $!usr!<fieldname>. As shown below (highlighted) using $!usr!field2 did not work. Can you please suggest what might be missing? Thanks in advance. *System Details:* Ubuntu, rsyslog 8.39.0, installed mmnormalize separately using rsyslog-mmnormalize *Rulebase:* File name: txtrulebase.rb version=2 # {"f1": "1"} interim text {"f2": 2} rule=:%field1:json%interim text %field2:json%' *Output:* As shown below attribute between "_log_" and "msg" is blank. This is where I inserted output that comes from mmnormalize. {"appName":"-", "hostname":"host-name-1", "event":[{"payload":{"_log_":"catalina", ,"msg":"{\"f1\": \"1\"} interim text {\"f2\": 2}"}}]} *Input text in catalina.out* {"f1": "1"} interim text {"f2": 2} *rsyslog.conf* # Load Modules module (load="imfile" mode="inotify") # for text file with inotify instead of pulling module (load="builtin:omfile" dirCreateMode="0775" fileCreateMode="0664" ) module(load="mmnormalize") # text parsing # RAW - don't format template(name="ulog-raw-format" type="list") { property(name="msg" droplastlf="on") constant(value="\n") } # Template for plain text formatted log messages. template(name="ulog-text-format" type="list") { constant(value="{") property(outname="appName" name="procid" format="jsonf") constant(value=", ") property(outname="hostname" name="hostname" format="jsonf") constant(value=", ") constant(value="\"event\":[{") #property(outname="uuid" name="msgid" format="jsonf") constant(value=", ") constant(value="\"payload\":{") property(outname="_log_" name="syslogtag" format="jsonf") constant(value=", ") #property(name="$!usr!rcvdat" outname="dt1" format="jsonf") constant(value=", ") #property(name="$!usr!company" outname="company" format="jsonf") constant(value=", ") *property(name="$!usr!field1" outname="field2" format="json") constant(value=",")* property(name="msg" format="jsonf" droplastlf="on" ) constant(value="}") constant(value="}]} \n") } # the main attraction ruleset(name="catalina-ruleset" queue.type="fixedArray" queue.size="250000" ) { action(type="omfile" template="ulog-raw-format" File="/apps/tomcat/logs/rawcatalina.out" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on") action(type="mmnormalize" rulebase="/etc/rsyslog.d/txtrulebase.rb" userawmsg="on") action(type="omfile" template="ulog-text-format" File="/apps/tomcat/logs/textp.out" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on") } input(type="imfile" File="/apps/tomcat/logs/catalina.out" Tag="catalina" ruleset="catalina-ruleset" readMode="2" escapeLF="off" reopenOnTruncate="on") Lavanya K _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
