Re: [rsyslog] Some liblognorm questions

Fri, 23 Aug 2019 04:03:32 -0700 

On Fri, 23 Aug 2019, Brian Candler via rsyslog wrote:


Hello,
I have been looking at the liblognorm manual, trying liblognorm-utils 2.0.3 from Ubuntu 18.04, and I have a few questions.
1. Is there an epsilon ("match nothing") transition, or a simple way to mark a part as optional?
Example: let's say a log line may be prefixed by an optional sequence number, followed by colon space.  I can write it explicitly as two rules, matching without and with prefix, and that works: 

==> test.rb <==
version=2
prefix=
rule=:sshd[%pid:number%]: Login failed
prefix=%sequence:number%:\x20
rule=:sshd[%pid:number%]: Login failed

==> test.log <==
sshd[1234]: Login failed
12345: sshd[1234]: Login failed
I just wondered if there was a cleaner way to do this, e.g. using 'alternative'.
last I tried this, you could not have an alternative that matched nothing, but you could have one alternative that is <number>: sshd and the other being sshd (i.e. include something that's common so that neither branch is blank)
(Note: the DAG generated from test.rb above does not merge the tails.  There are two branches which separately match the sshd[...]... part)
under the covers, the DAG will have two separate branches, but don't worry about trying to keep the DAG small, it really doesn't matter. I've run rulesets with 1400 rules in them and Rainer did performance testing and found that the difference between 1 rule and 1400 rules was 30%
2. I wondered what the best practice is for recording which rule matched, e.g. for metrics ("this pattern matched N times"). -oaddRuleLocation is not stable if the rulebase changes.  I can think of a couple of options:
In current versions you can set it to output the rule that matched as part of the output. I'd have to look at the docs to see exactly which option that is 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to