Re: [rsyslog] Filtering of syslog events in structured format

Wed, 07 Aug 2019 01:59:58 -0700 

Hello all,
finally I managed to make it work as I need. Below is snip of config I used - just in case someone else tries to achieve something similar. 


Example message:

<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 
[exampleSDID@32473 iut="3" eventSource="Application" 
eventID="1011"][id@2 test="tast"] BOM'su root' failed for lonvick on 
/dev/pts/8


Code:

$template RFC5424-to-file,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% 
%syslogtag% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

module(load="mmpstrucdata")
if $structured-data != '-' then {
    action(type="mmpstrucdata")

    if re_match($!rfc5424-sd!exampleSDID@32473!eventID, '10[0-2][0-9]') 
then {
        action(type="omfile" File="/var/log/eventid_1000-1029.log" 
template="RFC5424-to-file")

    }
}

Regards,

Petr

On 06.08.2019 15:34, Petr Vyhnal via rsyslog wrote:

Hello all,



did anyone tried to do a filtering of messages in structured data 
format? Seems common re_match can't be used on $structured-data 
property. It doesn't show error, but I can't get any positive match. I 
found there is mmpstrucdata module which can parse structured format 
into JSON variable tree, but not sure if these variables could be 
somehow used in RainerScript if - then declarations. Spent a lot of 
time trying to find some answer in forums, but I found nothing similar 
to what I need. Any ideas are welcome.



Regards,

Petr

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to