Re: [rsyslog] Parsing MSG
Hi Bruno It seems that you're trying to parse the log to deliver it to logstash (by the name you gave to the rule)... If it's the case, wouldn't be easier to parse it directly on logstash? There is for example the kv filter plugin which seems that would do the trick for you with a single line... On 2/4/19 17:02, David Lang via rsyslog wrote: > by the way, if you can write the message usingthe RYSYLOG_DebugFormat > it will help us understand exactly what the state of the message is. > > David Lang > > On Tue, 2 Apr 2019, David Lang via rsyslog wrote: > >> Date: Tue, 2 Apr 2019 07:45:34 -0700 (PDT) >> From: David Lang via rsyslog >> To: Bruno Manzoni via rsyslog >> Cc: David Lang >> Subject: Re: [rsyslog] Parsing MSG >> >> in recent versions of rsyslog there is an option to make the field >> names case sensitive (in the past they were all squashed to lower >> case internally as referenced in rsyslog configs, but if they are >> created with a parser in mixed/upper case you could not access them) >> >> I believe you need to set an option inthe global() section for this. >> I'm traveling and don't have the time to look it up at the moment. >> >> try this and see if it helps. >> >> David Lang >> >> On Tue, 2 Apr 2019, Bruno Manzoni via rsyslog wrote: >> >>> Date: Tue, 2 Apr 2019 15:24:13 +0200 >>> From: Bruno Manzoni via rsyslog >>> To: rsyslog@lists.adiscon.com >>> Cc: Bruno Manzoni >>> Subject: [rsyslog] Parsing MSG >>> >>> Hello Rsyslog Users, >>> >>> I transform a syslog 5424 in JSON with the following and forwar them to >>> Logstash. Logstash is able to read all fields: >>> >>> >>> >>> template(name="Checkpoint2LogstasgFormat" type="list") { >>> constant(value="{") >>> constant(value=" \"FROMHOST\": \"") >>> property(name="fromhost") >>> constant(value="\", \"fromhost-ip\": \"") >>> property(name="fromhost-ip") >>> constant(value="\", \"HOSTNAME\": \"") >>> property(name="hostname") >>> constant(value="\", \"PRI\": \"") >>> property(name="pri") >>> constant(value="\", \"syslogtag\": \"") >>> property(name="syslogtag") >>> constant(value="\", \"programname\": \"") >>> property(name="programname") >>> constant(value="\", \"APP-NAME\": \"") >>> property(name="app-name") >>> constant(value="\", \"PROCID\": \"") >>> property(name="procid") >>> constant(value="\", \"MSGID\": \"") >>> property(name="msgid") >>> constant(value="\", \"TIMESTAMP\": \"") >>> property(name="timereported") >>> constant(value="\", ") >>> property(name="$.myvar7") >>> constant(value="\"}\n") >>> } >>> >>> ruleset(name="remote") >>> { >>> if ($structured-data != "-") then >>> { >>> set $.myvar = $structured-data ; >>> set $.myvar2 = replace($.myvar,":\"", "\": \""); >>> set $.myvar3 = replace($.myvar2,"\"; ", "\", \""); >>> set $.myvar5 = replace($.myvar3,'\\', ''); >>> set $.myvar7 = "\""($.myvar5, 1, strlen($.myvar5)-6); >>> } >>> action >>> ( >>> type="omfwd" >>> queue.type="linkedlist" >>> queue.filename="example_fwd" >>> action.resumeRetryCount="-1" >>> queue.saveOnShutdown="on" >>> target="172.26.105.21" port="5141" protocol="tcp" >>> template="Checkpoint2LogstasgFormat" >>> ) >>> #action (type="omfile" file="/var/log/firewall.log" >>> template="Checkpoint2LogstasgFormat") >>> stop >>> } >>> input(type="imptcp" port="5140" ruleset="remote") >>> >>> >>> >>> The result: >>> >>> { "FROMHOST": "172.26.107.9", "fromhost-ip": "172.26.107.9", >>> "HOSTNAME": >>> "gw-85322c", "PRI": "134", "syslogtag": "CheckPoint[15624]", >>> "programname": "CheckPoint", "APP-NAME": "CheckPoint", "PROCID": >>> "15624", "MSGID": "-", "TIMESTAMP": "Apr 2 12:57:16", "action": >>> "Accept", "flags": "411908", "ifdir": "inbound", "ifname": "eth0", >>> "logid": "0", "loguid": "{0x5ca35c2c,0x0,0x96b1aac,0xc002}", >>> "origin": "172.26.107.9", "originsicname": >>> "cn=cp_mgmt,o=gw-85322c.ubiin.tranet.work.mjnfac", "sequencenum": "2", >>> "time": "1554209836", "version": "5", "__policy_id_tag": "product=VPN-1 >>> & >>> >> FireWall-1[db_tag={F1D5BFE9-0E2C-664D-9D4D-E76A490FFAD1};mgmt=gw-85322c;date=1552647946;policy_name=Standard]", >> >>> "dst": "172.26.107.9", "inzone": "Internal", "layer_name": "Network", >>> "layer_uuid": "e15c8ace-499c-4e10-ab00-9e6216313de0", "match_id": "1", >>> "parent_rule": "0", "rule_action": "Accept", "rule_name": "Cleanup >>> rule", "rule_uid": "29ea5f01-9f51-43a1-a7ac-702ecfb5b86a", "outzone": >>> "Local", "product": "VPN-1 & FireWall-1", "proto": "6", "s_port": >>> "58462", "service": "80", "service_id": "http", "src": >>> "192.168.168.31"} >>> >>> - >>> >>> But I would like on add extra information like DNS hostname and geo >>> information >>> >>> - As the fields (starting from field "action") are not parsed by >>> rsyslog, I think I cannot
Re: [rsyslog] Parsing MSG
___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding
there is no input defined in the config snipet you are showing us, this is why we are asking for the ful config David Lang On Tue, 2 Apr 2019, Gorman, Kevin via rsyslog wrote: Date: Tue, 2 Apr 2019 19:28:37 + From: "Gorman, Kevin via rsyslog" To: rsyslog-users Cc: "Gorman, Kevin" Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding I found a few issues. I defined the *.* wrong for one. The *.* is all logs defined in rsyslog.conf, which we don’t touch and the version is 8.24 I want to use a ruleset to separate the info and make things modular. Since I also forward a large number of files, I’d prefer to define the address, port and protocol in one separate file. Here's the ruleset and my best guess of the action, but it doesn't work, meaning the log messages aren’t forwarded. Obviously it’s syntax is incorrect. It isn’t clear how to use an if statement to do what I’m trying to do. The file forwarding looks like it works using the ruleset. global ( parser.dropTrailingLFOnReception="on" parser.escapeControlCharactersOnReceive="on" workDirectory="/var/lib/rsyslog" ruleset( name="linux_forward" queue.type="LinkedList" queue.filename="FwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on" ) { action( type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01"# logserver VIP protocol="udp" port="5544" ) stop } *.* action( type="omfwd" ruleset="linux_forward" tag="rsyslog" name="rsyslog" ) From: Flo Rance [mailto:troura...@gmail.com] Sent: Tuesday, April 02, 2019 6:08 AM To: rsyslog-users Cc: David Lang; Gorman, Kevin Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding I use a similar config to forward from my servers. ruleset(name="linux_forward" queue.type="LinkedList" queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on") { action(type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01" protocol="udp" port="5544" resumeRetryCount="-1") } and it's called like that: if () then { call linux_forward stop } Flo On Mon, Apr 1, 2019 at 9:27 PM Gorman, Kevin via rsyslog mailto:rsyslog@lists.adiscon.com>> wrote: For the moment, I've removed the app part of the configuration. Redhat suggested changing action to the config that's below. Still, nothing is forwarded, which is the sole purpose of the configuration. I'm trying to use the rule to avoid repeating the IP address over and over as well as to not use lots of files. I imagine I could use the earlier format and combine the files, so that's not really a big issue. If it's better I'm not against just using the earlier format. # cat rsyslog.all.conf module(load="imfile" mode="inotify") global ( parser.dropTrailingLFOnReception="on" parser.escapeControlCharactersOnReceive="on" workDirectory="/var/lib/rsyslog" ) ruleset( name="linux_forward" queue.type="LinkedList" queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on" ) { action( type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01"# VIP address of logserver protocol="udp" port="5544" #resumeRetryCount="-1" ) stop } # cat rsyslog.linux.conf input( type="imfile" ruleset="linux_forward" file="*.*" escapeLF="on" tag="syslog" ) input( type="imfile" ruleset="linux_forward" tag="ansible" file="/var/log/ansible.log" escapeLF="on" ) input( type="imfile" ruleset="linux_forward" tag="audit" file="/var/log/audit/audit.log" escapeLF="on" ) ]# rsyslogd -N2 rsyslogd: version 8.24.0-34.el7, config validation run (level 2), master config /etc/rsyslog.conf 6396.163499269:main thread: debug level 2 set via config file 6396.163515320:main thread: This is rsyslog version 8.24.0-34.el7 6396.163520128:main thread: config parser: reached end of file /etc/rsyslog.d/rsyslog.debug.conf 6396.163524390:main thread: config parser: resume parsing of file /etc/rsyslog.d/rsyslog.linux.conf at line 1 6396.163531565:main thread: cnf:global:obj: obj: 'input' 6396.163538048:main thread: nvlst 0x562f39069bb0: 6396.163541541:main thread: name: 'tag', value 'syslog' 6396.163545544:main thread: name: 'escapeLF', value 'on' 6396.163549402:main thread: name: 'file', value '*.*' 6396.163553221:main thread: name: 'ruleset', value 'linux_forward' 6396.163557231:main thread: name: 'type', value 'imfile' 6396.163562884:main thread: nvlstGetParam: name 'type', type 14, valnode->bUsed 0 6396.163566743:main thread: input param blk after inputProcessCnf: 6396.163570295:main thread: type: 'imfile' 6396.163579084:main thread: newInpInst (imfile) 6396.163582949:main thread: nvlstGetParam: name 'file', type 14, valnode->bUsed 0
Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding
I found a few issues. I defined the *.* wrong for one. The *.* is all logs defined in rsyslog.conf, which we don’t touch and the version is 8.24 I want to use a ruleset to separate the info and make things modular. Since I also forward a large number of files, I’d prefer to define the address, port and protocol in one separate file. Here's the ruleset and my best guess of the action, but it doesn't work, meaning the log messages aren’t forwarded. Obviously it’s syntax is incorrect. It isn’t clear how to use an if statement to do what I’m trying to do. The file forwarding looks like it works using the ruleset. global ( parser.dropTrailingLFOnReception="on" parser.escapeControlCharactersOnReceive="on" workDirectory="/var/lib/rsyslog" ruleset( name="linux_forward" queue.type="LinkedList" queue.filename="FwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on" ) { action( type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01"# logserver VIP protocol="udp" port="5544" ) stop } *.* action( type="omfwd" ruleset="linux_forward" tag="rsyslog" name="rsyslog" ) From: Flo Rance [mailto:troura...@gmail.com] Sent: Tuesday, April 02, 2019 6:08 AM To: rsyslog-users Cc: David Lang; Gorman, Kevin Subject: Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding I use a similar config to forward from my servers. ruleset(name="linux_forward" queue.type="LinkedList" queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on") { action(type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01" protocol="udp" port="5544" resumeRetryCount="-1") } and it's called like that: if () then { call linux_forward stop } Flo On Mon, Apr 1, 2019 at 9:27 PM Gorman, Kevin via rsyslog mailto:rsyslog@lists.adiscon.com>> wrote: For the moment, I've removed the app part of the configuration. Redhat suggested changing action to the config that's below. Still, nothing is forwarded, which is the sole purpose of the configuration. I'm trying to use the rule to avoid repeating the IP address over and over as well as to not use lots of files. I imagine I could use the earlier format and combine the files, so that's not really a big issue. If it's better I'm not against just using the earlier format. # cat rsyslog.all.conf module(load="imfile" mode="inotify") global ( parser.dropTrailingLFOnReception="on" parser.escapeControlCharactersOnReceive="on" workDirectory="/var/lib/rsyslog" ) ruleset( name="linux_forward" queue.type="LinkedList" queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on" ) { action( type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01"# VIP address of logserver protocol="udp" port="5544" #resumeRetryCount="-1" ) stop } # cat rsyslog.linux.conf input( type="imfile" ruleset="linux_forward" file="*.*" escapeLF="on" tag="syslog" ) input( type="imfile" ruleset="linux_forward" tag="ansible" file="/var/log/ansible.log" escapeLF="on" ) input( type="imfile" ruleset="linux_forward" tag="audit" file="/var/log/audit/audit.log" escapeLF="on" ) ]# rsyslogd -N2 rsyslogd: version 8.24.0-34.el7, config validation run (level 2), master config /etc/rsyslog.conf 6396.163499269:main thread: debug level 2 set via config file 6396.163515320:main thread: This is rsyslog version 8.24.0-34.el7 6396.163520128:main thread: config parser: reached end of file /etc/rsyslog.d/rsyslog.debug.conf 6396.163524390:main thread: config parser: resume parsing of file /etc/rsyslog.d/rsyslog.linux.conf at line 1 6396.163531565:main thread: cnf:global:obj: obj: 'input' 6396.163538048:main thread: nvlst 0x562f39069bb0: 6396.163541541:main thread: name: 'tag', value 'syslog' 6396.163545544:main thread: name: 'escapeLF', value 'on' 6396.163549402:main thread: name: 'file', value '*.*' 6396.163553221:main thread: name: 'ruleset', value 'linux_forward' 6396.163557231:main thread: name: 'type', value 'imfile' 6396.163562884:main thread: nvlstGetParam: name 'type', type 14, valnode->bUsed 0 6396.163566743:main thread: input param blk after inputProcessCnf: 6396.163570295:main thread: type: 'imfile' 6396.163579084:main thread: newInpInst (imfile) 6396.163582949:main thread: nvlstGetParam: name 'file', type 14, valnode->bUsed 0 6396.163586431:main thread: nvlstGetParam: name 'tag', type 14, valnode->bUsed 0 6396.163590393:main thread: nvlstGetParam: name 'ruleset', type 14, valnode->bUsed 0 6396.163594337:main thread: nvlstGetParam: name 'escapelf', type 4, valnode->bUsed 0 6396.163598668:main thread: input param blk in
[rsyslog] Error in `rsyslogd': double free or corruption (out): 0x00007f9324002b10 ***
Hi, I was noticing rsyslog (rsyslog-8.1903.0-1.el7.x86_64) crashing on one of my servers with imjournal errors, so I commented out $ModLoad imjournal and replaced with: module(load="imjournal" StateFile="imjournal.state" WorkAroundJournalBug="on") Since then my rsyslogd crashes on start with errors. Details below. Just thought I'd report it to the list in case it's a bug. To troubleshoot I ran rsyslog -n, and got: [root@rh7update ~]# rsyslogd -n &>/root/out *** Error in `rsyslogd': double free or corruption (out): 0x7f0268002ea0 *** === Backtrace: = /usr/lib64/libc.so.6(+0x81489)[0x7f027eb51489] /usr/lib64/rsyslog/imjournal.so(+0x3b7d)[0x7f027b9a2b7d] rsyslogd(+0x675b6)[0x5617dca1e5b6] /usr/lib64/libpthread.so.0(+0x7dd5)[0x7f027fd0bdd5] /usr/lib64/libc.so.6(clone+0x6d)[0x7f027ebcdead] === Memory map: 5617dc9b7000-5617dca56000 r-xp fd:00 134370138 /usr/sbin/rsyslogd 5617dcc56000-5617dcc59000 r--p 0009f000 fd:00 134370138 /usr/sbin/rsyslogd 5617dcc59000-5617dcc6 rw-p 000a2000 fd:00 134370138 /usr/sbin/rsyslogd 5617dcc6-5617dcc61000 rw-p 00:00 0 5617ddc5a000-5617ddcdb000 rw-p 00:00 0 [heap] 7f026800-7f0268021000 rw-p 00:00 0 7f0268021000-7f026c00 ---p 00:00 0 7f026c00-7f026c021000 rw-p 00:00 0 7f026c021000-7f027000 ---p 00:00 0 7f027000-7f0270021000 rw-p 00:00 0 7f0270021000-7f027400 ---p 00:00 0 7f027439b000-7f027439c000 ---p 00:00 0 7f027439c000-7f0274d9c000 rw-p 00:00 0 7f0274d9c000-7f0274d9d000 ---p 00:00 0 7f0274d9d000-7f027519d000 rw-p 00:00 0 7f027519d000-7f027519e000 ---p 00:00 0 7f027519e000-7f027559e000 rw-p 00:00 0 7f027559e000-7f027559f000 ---p 00:00 0 7f027559f000-7f027599f000 rw-p 00:00 0 7f027599f000-7f027619f000 r--s 00:13 16149319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00057f9c-0005855b3bd612b9.journal 7f027619f000-7f027699f000 r--s 00:13 16506278 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00059e9d-000585610a8fb041.journal 7f027699f000-7f027719f000 r--s 00:13 16853001 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005bdd9-00058566bbf997b5.journal 7f027719f000-7f027799f000 r--s 00:13 16940927 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005dc48-00058566c75f2abe.journal 7f027799f000-7f027819f000 r--s 00:13 17055319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0005fa89-000585674db37c53.journal 7f027819f000-7f027899f000 r--s 00:13 17412179 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00061a12-0005856d1cac93e9.journal 7f027899f000-7f027919f000 r--s 00:13 17770828 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006393c-00058572fdb95703.journal 7f027919f000-7f027999f000 r--s 00:13 18132248 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-00065883-00058578d844e50d.journal 7f027999f000-7f027a19f000 r--s 00:13 18514229 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-000677fa-0005857e5986ce06.journal 7f027a19f000-7f027a99f000 r--s 00:13 18848236 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006990f-00058583d3a7dc01.journal 7f027a99f000-7f027b19f000 r--s 00:13 19180571 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system@ebabfd79b6bb4652b920cf6a0b44209f-0006b99a-00058589334f3f20.journal 7f027b19f000-7f027b99f000 r--s 00:13 19507319 /run/log/journal/526ab3f113bc476c8e3eba095c107ebc/system.journal 7f027b99f000-7f027b9a4000 r-xp fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027b9a4000-7f027bba4000 ---p 5000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba4000-7f027bba5000 r--p 5000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba5000-7f027bba6000 rw-p 6000 fd:00 201841620 /usr/lib64/rsyslog/imjournal.so 7f027bba6000-7f027bba8000 r-xp fd:00 201851296 /usr/lib64/rsyslog/lmtcpclt.so 7f027bba8000-7f027bda7000 ---p 2000 fd:00 201851296 /usr/lib64/rsyslog/lmtcpclt.so 7f027bda7000-7f027bda8000
Re: [rsyslog] So difficult to make rsyslog to work
On 4/2/19 9:26 AM, David Lang wrote: On Tue, 2 Apr 2019, John Chivian via rsyslog wrote: Old: kern.* /var/log/kern.log New: kern.* { action( type="omfile" name="kern" file="/var/log/kern.log" ) } This is a case where we recommend continuing to use the old style, it's enough simpler that it is clearer to anyone with an understanding of syslog If you use the old style syntax then you get an action name in pstats similar to "action26". My recommendation is that all actions be given a name, it makes it orders of magnitude easier when the data hits the SIEM. Old: auth.*;authpriv.* @@192.168.10.13:5140 New: auth.*;authpriv.* { action( type="omfwd" target="192.168.10.13" port="5140" protocol="tcp" name="tcp-5140-out" queue.size="1024000" queue.filename="tcp-5140.queue" queue.maxdiskspace="1g" queue.type="FixedArray" queue.maxfilesize="10m" queue.saveonshutdown="on" queue.discardseverity="8" Action.ResumeInterval="1" Action.ResumeRetryCount="-1" ) } These are not equivalent, the equivalent would be: auth.*;authpriv.* { action( type="omfwd" target="192.168.10.13" port="5140" protocol="tcp" ) } True, but most people are interested in the queuing aspects for redundancy so I included them. Doing the same thing would be another place where using the old style still works, but when you add the additional functionality of your 'new' version, the new style is needed. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Parsing MSG
by the way, if you can write the message usingthe RYSYLOG_DebugFormat it will help us understand exactly what the state of the message is. David Lang On Tue, 2 Apr 2019, David Lang via rsyslog wrote: Date: Tue, 2 Apr 2019 07:45:34 -0700 (PDT) From: David Lang via rsyslog To: Bruno Manzoni via rsyslog Cc: David Lang Subject: Re: [rsyslog] Parsing MSG in recent versions of rsyslog there is an option to make the field names case sensitive (in the past they were all squashed to lower case internally as referenced in rsyslog configs, but if they are created with a parser in mixed/upper case you could not access them) I believe you need to set an option inthe global() section for this. I'm traveling and don't have the time to look it up at the moment. try this and see if it helps. David Lang On Tue, 2 Apr 2019, Bruno Manzoni via rsyslog wrote: Date: Tue, 2 Apr 2019 15:24:13 +0200 From: Bruno Manzoni via rsyslog To: rsyslog@lists.adiscon.com Cc: Bruno Manzoni Subject: [rsyslog] Parsing MSG Hello Rsyslog Users, I transform a syslog 5424 in JSON with the following and forwar them to Logstash. Logstash is able to read all fields: template(name="Checkpoint2LogstasgFormat" type="list") { constant(value="{") constant(value=" \"FROMHOST\": \"") property(name="fromhost") constant(value="\", \"fromhost-ip\": \"") property(name="fromhost-ip") constant(value="\", \"HOSTNAME\": \"") property(name="hostname") constant(value="\", \"PRI\": \"") property(name="pri") constant(value="\", \"syslogtag\": \"") property(name="syslogtag") constant(value="\", \"programname\": \"") property(name="programname") constant(value="\", \"APP-NAME\": \"") property(name="app-name") constant(value="\", \"PROCID\": \"") property(name="procid") constant(value="\", \"MSGID\": \"") property(name="msgid") constant(value="\", \"TIMESTAMP\": \"") property(name="timereported") constant(value="\", ") property(name="$.myvar7") constant(value="\"}\n") } ruleset(name="remote") { if ($structured-data != "-") then { set $.myvar = $structured-data ; set $.myvar2 = replace($.myvar,":\"", "\": \""); set $.myvar3 = replace($.myvar2,"\"; ", "\", \""); set $.myvar5 = replace($.myvar3,'\\', ''); set $.myvar7 = "\""($.myvar5, 1, strlen($.myvar5)-6); } action ( type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="172.26.105.21" port="5141" protocol="tcp" template="Checkpoint2LogstasgFormat" ) #action (type="omfile" file="/var/log/firewall.log" template="Checkpoint2LogstasgFormat") stop } input(type="imptcp" port="5140" ruleset="remote") The result: { "FROMHOST": "172.26.107.9", "fromhost-ip": "172.26.107.9", "HOSTNAME": "gw-85322c", "PRI": "134", "syslogtag": "CheckPoint[15624]", "programname": "CheckPoint", "APP-NAME": "CheckPoint", "PROCID": "15624", "MSGID": "-", "TIMESTAMP": "Apr 2 12:57:16", "action": "Accept", "flags": "411908", "ifdir": "inbound", "ifname": "eth0", "logid": "0", "loguid": "{0x5ca35c2c,0x0,0x96b1aac,0xc002}", "origin": "172.26.107.9", "originsicname": "cn=cp_mgmt,o=gw-85322c.ubiin.tranet.work.mjnfac", "sequencenum": "2", "time": "1554209836", "version": "5", "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={F1D5BFE9-0E2C-664D-9D4D-E76A490FFAD1};mgmt=gw-85322c;date=1552647946;policy_name=Standard]", "dst": "172.26.107.9", "inzone": "Internal", "layer_name": "Network", "layer_uuid": "e15c8ace-499c-4e10-ab00-9e6216313de0", "match_id": "1", "parent_rule": "0", "rule_action": "Accept", "rule_name": "Cleanup rule", "rule_uid": "29ea5f01-9f51-43a1-a7ac-702ecfb5b86a", "outzone": "Local", "product": "VPN-1 & FireWall-1", "proto": "6", "s_port": "58462", "service": "80", "service_id": "http", "src": "192.168.168.31"} - But I would like on add extra information like DNS hostname and geo information - As the fields (starting from field "action") are not parsed by rsyslog, I think I cannot "manipulate" / "match" them with Reinerscript (I think only the fields in upper case can be manipulated as they were parsed by the the default parser. (5424) If did understand i cannot do what i want?!?!? or, may be, I can: - 1. Reinject them in rsyslog and parse them with mmjsonparse? but it seems a waste of ressources to do it. (and how to do it?) - 2. Create a complete parser from scratch with liblognorm? but it seems to be a huge work and, as the fields can change it seems not a very effective solution Did I understand correctly ? Do you have suggestions? Regards Bruno ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote: On Tue, Apr 02, 2019 at 04:21:07PM +0200, Rainer Gerhards wrote: It may make sense to document this on the doc as well. Up for a PR? Yes, I'll try having something before the weekend. Unfortunately, in current day-job I'm quite far away from syslog at the moment, all Unixing I am doing at the moment is my own pleasure. no rush, almost all of us here are doing this on our own time. Rainer and about 4 other people are able to scramble enough to survive doing this full time (Adiscon is their company, direct money their way to support rsyslog :-) ) Do this at your own pace, all contributions welcome, we know docs are an area we struggle with, so we especially appriciate help there. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, Apr 02, 2019 at 04:21:07PM +0200, Rainer Gerhards wrote: > It may make sense to document this on the doc as well. Up for a PR? Yes, I'll try having something before the weekend. Unfortunately, in current day-job I'm quite far away from syslog at the moment, all Unixing I am doing at the moment is my own pleasure. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote: On Tue, Apr 02, 2019 at 03:08:15PM +0200, Rainer Gerhards via rsyslog wrote: El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog () escribió: > > Are the docs in a public git? Where can people ask for clarification > > about things before submitting (probably wrong) patch requests against > > the docs? > Adding to what was said, how about if we have somewhere a place > (wiki, git, clay tablets) for examples? There we could start with a > page for each example, say: This place already exists: https://github.com/rsyslog/rsyslog-doc Perfect. Doc pages with just questions my sound strange, but it's also an interesting idea. I would do that with issues in the rsyslog-doc project labeled with "question", for example. There could be a workflow to have examples inserted by merge request: - I have a task - I come up with a "works for me" configuration - I fork rsyslog-doc and write docs for "my" configuration - I open a merge request - Somebody[tm] reviews the configuration and the docs and comments like "things might be more elegant if you do it this way" - Discussion happens in the merge request - If applicable, I update my merge request with the improvements suggested - Eventually, my work gets merged and is part of the official docs. With "me" being a random contributor. Would that be acceptable for you as upstream? This would be fantastic, not just acceptable. :-) David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] Parsing MSG
in recent versions of rsyslog there is an option to make the field names case sensitive (in the past they were all squashed to lower case internally as referenced in rsyslog configs, but if they are created with a parser in mixed/upper case you could not access them) I believe you need to set an option inthe global() section for this. I'm traveling and don't have the time to look it up at the moment. try this and see if it helps. David Lang On Tue, 2 Apr 2019, Bruno Manzoni via rsyslog wrote: Date: Tue, 2 Apr 2019 15:24:13 +0200 From: Bruno Manzoni via rsyslog To: rsyslog@lists.adiscon.com Cc: Bruno Manzoni Subject: [rsyslog] Parsing MSG Hello Rsyslog Users, I transform a syslog 5424 in JSON with the following and forwar them to Logstash. Logstash is able to read all fields: template(name="Checkpoint2LogstasgFormat" type="list") { constant(value="{") constant(value=" \"FROMHOST\": \"") property(name="fromhost") constant(value="\", \"fromhost-ip\": \"") property(name="fromhost-ip") constant(value="\", \"HOSTNAME\": \"") property(name="hostname") constant(value="\", \"PRI\": \"") property(name="pri") constant(value="\", \"syslogtag\": \"") property(name="syslogtag") constant(value="\", \"programname\": \"") property(name="programname") constant(value="\", \"APP-NAME\": \"") property(name="app-name") constant(value="\", \"PROCID\": \"") property(name="procid") constant(value="\", \"MSGID\": \"") property(name="msgid") constant(value="\", \"TIMESTAMP\": \"") property(name="timereported") constant(value="\", ") property(name="$.myvar7") constant(value="\"}\n") } ruleset(name="remote") { if ($structured-data != "-") then { set $.myvar = $structured-data ; set $.myvar2 = replace($.myvar,":\"", "\": \""); set $.myvar3 = replace($.myvar2,"\"; ", "\", \""); set $.myvar5 = replace($.myvar3,'\\', ''); set $.myvar7 = "\""($.myvar5, 1, strlen($.myvar5)-6); } action ( type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="172.26.105.21" port="5141" protocol="tcp" template="Checkpoint2LogstasgFormat" ) #action (type="omfile" file="/var/log/firewall.log" template="Checkpoint2LogstasgFormat") stop } input(type="imptcp" port="5140" ruleset="remote") The result: { "FROMHOST": "172.26.107.9", "fromhost-ip": "172.26.107.9", "HOSTNAME": "gw-85322c", "PRI": "134", "syslogtag": "CheckPoint[15624]", "programname": "CheckPoint", "APP-NAME": "CheckPoint", "PROCID": "15624", "MSGID": "-", "TIMESTAMP": "Apr 2 12:57:16", "action": "Accept", "flags": "411908", "ifdir": "inbound", "ifname": "eth0", "logid": "0", "loguid": "{0x5ca35c2c,0x0,0x96b1aac,0xc002}", "origin": "172.26.107.9", "originsicname": "cn=cp_mgmt,o=gw-85322c.ubiin.tranet.work.mjnfac", "sequencenum": "2", "time": "1554209836", "version": "5", "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={F1D5BFE9-0E2C-664D-9D4D-E76A490FFAD1};mgmt=gw-85322c;date=1552647946;policy_name=Standard]", "dst": "172.26.107.9", "inzone": "Internal", "layer_name": "Network", "layer_uuid": "e15c8ace-499c-4e10-ab00-9e6216313de0", "match_id": "1", "parent_rule": "0", "rule_action": "Accept", "rule_name": "Cleanup rule", "rule_uid": "29ea5f01-9f51-43a1-a7ac-702ecfb5b86a", "outzone": "Local", "product": "VPN-1 & FireWall-1", "proto": "6", "s_port": "58462", "service": "80", "service_id": "http", "src": "192.168.168.31"} - But I would like on add extra information like DNS hostname and geo information - As the fields (starting from field "action") are not parsed by rsyslog, I think I cannot "manipulate" / "match" them with Reinerscript (I think only the fields in upper case can be manipulated as they were parsed by the the default parser. (5424) If did understand i cannot do what i want?!?!? or, may be, I can: - 1. Reinject them in rsyslog and parse them with mmjsonparse? but it seems a waste of ressources to do it. (and how to do it?) - 2. Create a complete parser from scratch with liblognorm? but it seems to be a huge work and, as the fields can change it seems not a very effective solution Did I understand correctly ? Do you have suggestions? Regards Bruno ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, 2 Apr 2019, Marc Haber via rsyslog wrote: Hi David, On Mon, Mar 25, 2019 at 03:58:26AM -0700, David Lang wrote: On Mon, 25 Mar 2019, Marc Haber via rsyslog wrote: > On Thu, Feb 07, 2019 at 08:01:26AM +0800, 杨华杰 via rsyslog wrote: > > Most of the tutorials I found on the internet are out of dated, and I have > > found old syntax configuration are not supported anymore. we've been pretty good about maintaining backwards compatability,what doesn't work at all? (as opposed to no longer being recommended)? When I spend time doing some special things with rsyslog, I want to do so with the "modern" way that is currently supported. I do not want to spend time with something that is "no longer recommemded" There are three categories of config statements 1. old style, but still recommended This is pretty much everything that is a one-line statement 2. old style, no longer recommended but still supported This is pretty much everything that used a $foo to affect a later statement (template declaration being an exception to this) 3. new 'function' style This can be used for anything, sometimes it's less clear than the original legacy style if you are doing simple things. It's needed when you are doing complex things where you need to set multiple options (setting ports, templates, and filename templates are borderline cases) The only thingwe really strongly discourage is where you have adozen lines setting $foo settings and then have an action,especially with queues, as it's hardtounderstandwhat is going on inthe old style, and it's so easy to get wrong. There are even a few cases where the old style multi-line configs are clearer (for example, if you are just writing to files and want the ownership to be consistant everywhere, the old style is much easier to read, but if you are setting ownership and permissions differently for different files, the new style is much clearer) I agree with the problems you outline. If you can write scenarios for us to document, I can help create the configs to do things. As Rainer says, when you get too experienced with something, it's hard to know what to document. I've done a bit with examples in my ;login articles and would be happy to write some configs and explain them. The problem is that I have difficulties with writing things right now. Do you have a wiki page that people could write their wishlist or reference configurations to? Or would you be ok with me writing private mail whenever I encounter something? We're happy to teach, but after a few eamples we would expect you to make a stab at it for us to correct, a wiki page of examples would be good (as discussed later in this thread) My first wish would be like "the default configuration written in advanced format", so that one can start with a working configuration when one wants to write more sophisticated things without having to verify the basic things. Maybe it is even possible to have a program/script that will read a basic configuration and write the same thing in advanced format, so that one can do a smooth migration even if the basic style configuration has been already customized. @Rainer, I think that having an option to have config parser dump out it's optimized config would be a great idea, I'm going to add a wish-list item for this. I think that the explanations given in https://www.rsyslog.com/doc/v8-stable/configuration/conf_formats.html look like the right thing, but will probably lead to configurations being written in a mixture of basic and advanced format without knowing myself whether this is even possible at all. it's very possible, the thing to remember is that if you set something with a $foo setting, it has no effect on anything using the new style There is probably a point when it's simpler to maintain if one ditches the basic format completely and changes to a advanced format configuration. only if you are doing a lot of complex things, and sometimes not even then. I write a lot of very complex configs, but I still commonly use the @target style rather than the action() style commonly. Currently, this step is risky, and it would be nice to have some help, either with a tool or with more explicit docs. I think it's less risky than you think, which means our docs are bad if they are making you think it's really bad to mix styles. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, 2 Apr 2019, John Chivian via rsyslog wrote: Old: kern.* /var/log/kern.log New: kern.* { action( type="omfile" name="kern" file="/var/log/kern.log" ) } This is a case where we recommend continuing to use the old style, it's enough simpler that it is clearer to anyone with an understanding of syslog Old: auth.*;authpriv.* @@192.168.10.13:5140 New: auth.*;authpriv.* { action( type="omfwd" target="192.168.10.13" port="5140" protocol="tcp" name="tcp-5140-out" queue.size="1024000" queue.filename="tcp-5140.queue" queue.maxdiskspace="1g" queue.type="FixedArray" queue.maxfilesize="10m" queue.saveonshutdown="on" queue.discardseverity="8" Action.ResumeInterval="1" Action.ResumeRetryCount="-1" ) } These are not equivalent, the equivalent would be: auth.*;authpriv.* { action( type="omfwd" target="192.168.10.13" port="5140" protocol="tcp" ) } Doing the same thing would be another place where using the old style still works, but when you add the additional functionality of your 'new' version, the new style is needed. David Lang ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
Some very brief old vs. new examples... Old: kern.* /var/log/kern.log New: kern.* { action( type="omfile" name="kern" file="/var/log/kern.log" ) } Old: auth.*;authpriv.* @@192.168.10.13:5140 New: auth.*;authpriv.* { action( type="omfwd" target="192.168.10.13" port="5140" protocol="tcp" name="tcp-5140-out" queue.size="1024000" queue.filename="tcp-5140.queue" queue.maxdiskspace="1g" queue.type="FixedArray" queue.maxfilesize="10m" queue.saveonshutdown="on" queue.discardseverity="8" Action.ResumeInterval="1" Action.ResumeRetryCount="-1" ) } New: ruleset(name="to_pstats_debug") { action( type="omfwd" name="tcp-5139-out" target="192.168.10.13" port="5139" protocol="tcp" queue.size="1024000" queue.filename="tcp-5139.queue" queue.maxdiskspace="1g" queue.type="FixedArray" queue.maxfilesize="10m" queue.saveonshutdown="on" queue.discardseverity="8" Action.ResumeInterval="1" Action.ResumeRetryCount="-1" ) action( type="omfile" name="pstats_file" file="/logspool/pstats.json" template="jsonBlobPretty" ) } syslog.* { if ($programname == "rsyslogd-pstats") then { call to_pstats_debug } else { action( type="omfile" name="syslog" file="/var/log/syslog" ) } } Regards, On 4/2/19 9:21 AM, Rainer Gerhards via rsyslog wrote: Sent from phone, thus brief. Marc Haber via rsyslog schrieb am Di., 2. Apr. 2019, 15:48: On Tue, Apr 02, 2019 at 03:08:15PM +0200, Rainer Gerhards via rsyslog wrote: El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog () escribió: Are the docs in a public git? Where can people ask for clarification about things before submitting (probably wrong) patch requests against the docs? Adding to what was said, how about if we have somewhere a place (wiki, git, clay tablets) for examples? There we could start with a page for each example, say: This place already exists: https://github.com/rsyslog/rsyslog-doc Perfect. Doc pages with just questions my sound strange, but it's also an interesting idea. I would do that with issues in the rsyslog-doc project labeled with "question", for example. There could be a workflow to have examples inserted by merge request: - I have a task - I come up with a "works for me" configuration - I fork rsyslog-doc and write docs for "my" configuration - I open a merge request - Somebody[tm] reviews the configuration and the docs and comments like "things might be more elegant if you do it this way" - Discussion happens in the merge request - If applicable, I update my merge request with the improvements suggested - Eventually, my work gets merged and is part of the official docs. With "me" being a random contributor. Would that be acceptable for you as upstream? Definitely - everything that helps is welcome. It may make sense to document this on the doc as well. Up for a PR? Rainer Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
Sent from phone, thus brief. Marc Haber via rsyslog schrieb am Di., 2. Apr. 2019, 15:48: > On Tue, Apr 02, 2019 at 03:08:15PM +0200, Rainer Gerhards via rsyslog > wrote: > > El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog > > () escribió: > > > > Are the docs in a public git? Where can people ask for clarification > > > > about things before submitting (probably wrong) patch requests > against > > > > the docs? > > > > > Adding to what was said, how about if we have somewhere a place > > > (wiki, git, clay tablets) for examples? There we could start with a > > > page for each example, say: > > > > This place already exists: https://github.com/rsyslog/rsyslog-doc > > Perfect. > > > Doc pages with just questions my sound strange, but it's also an > > interesting idea. > > I would do that with issues in the rsyslog-doc project labeled with > "question", for example. > > There could be a workflow to have examples inserted by merge request: > > - I have a task > - I come up with a "works for me" configuration > - I fork rsyslog-doc and write docs for "my" configuration > - I open a merge request > - Somebody[tm] reviews the configuration and the docs and comments > like "things might be more elegant if you do it this way" > - Discussion happens in the merge request > - If applicable, I update my merge request with the improvements > suggested > - Eventually, my work gets merged and is part of the official docs. > > With "me" being a random contributor. Would that be acceptable for you > as upstream? > Definitely - everything that helps is welcome. It may make sense to document this on the doc as well. Up for a PR? Rainer > > Greetings > Marc > > -- > > - > Marc Haber | "I don't trust Computers. They | Mailadresse im Header > Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 > Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, Apr 02, 2019 at 03:08:15PM +0200, Rainer Gerhards via rsyslog wrote: > El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog > () escribió: > > > Are the docs in a public git? Where can people ask for clarification > > > about things before submitting (probably wrong) patch requests against > > > the docs? > > > Adding to what was said, how about if we have somewhere a place > > (wiki, git, clay tablets) for examples? There we could start with a > > page for each example, say: > > This place already exists: https://github.com/rsyslog/rsyslog-doc Perfect. > Doc pages with just questions my sound strange, but it's also an > interesting idea. I would do that with issues in the rsyslog-doc project labeled with "question", for example. There could be a workflow to have examples inserted by merge request: - I have a task - I come up with a "works for me" configuration - I fork rsyslog-doc and write docs for "my" configuration - I open a merge request - Somebody[tm] reviews the configuration and the docs and comments like "things might be more elegant if you do it this way" - Discussion happens in the merge request - If applicable, I update my merge request with the improvements suggested - Eventually, my work gets merged and is part of the official docs. With "me" being a random contributor. Would that be acceptable for you as upstream? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
[rsyslog] Parsing MSG
Hello Rsyslog Users, I transform a syslog 5424 in JSON with the following and forwar them to Logstash. Logstash is able to read all fields: template(name="Checkpoint2LogstasgFormat" type="list") { constant(value="{") constant(value=" \"FROMHOST\": \"") property(name="fromhost") constant(value="\", \"fromhost-ip\": \"") property(name="fromhost-ip") constant(value="\", \"HOSTNAME\": \"") property(name="hostname") constant(value="\", \"PRI\": \"") property(name="pri") constant(value="\", \"syslogtag\": \"") property(name="syslogtag") constant(value="\", \"programname\": \"") property(name="programname") constant(value="\", \"APP-NAME\": \"") property(name="app-name") constant(value="\", \"PROCID\": \"") property(name="procid") constant(value="\", \"MSGID\": \"") property(name="msgid") constant(value="\", \"TIMESTAMP\": \"") property(name="timereported") constant(value="\", ") property(name="$.myvar7") constant(value="\"}\n") } ruleset(name="remote") { if ($structured-data != "-") then { set $.myvar = $structured-data ; set $.myvar2 = replace($.myvar,":\"", "\": \""); set $.myvar3 = replace($.myvar2,"\"; ", "\", \""); set $.myvar5 = replace($.myvar3,'\\', ''); set $.myvar7 = "\""($.myvar5, 1, strlen($.myvar5)-6); } action ( type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="172.26.105.21" port="5141" protocol="tcp" template="Checkpoint2LogstasgFormat" ) #action (type="omfile" file="/var/log/firewall.log" template="Checkpoint2LogstasgFormat") stop } input(type="imptcp" port="5140" ruleset="remote") The result: { "FROMHOST": "172.26.107.9", "fromhost-ip": "172.26.107.9", "HOSTNAME": "gw-85322c", "PRI": "134", "syslogtag": "CheckPoint[15624]", "programname": "CheckPoint", "APP-NAME": "CheckPoint", "PROCID": "15624", "MSGID": "-", "TIMESTAMP": "Apr 2 12:57:16", "action": "Accept", "flags": "411908", "ifdir": "inbound", "ifname": "eth0", "logid": "0", "loguid": "{0x5ca35c2c,0x0,0x96b1aac,0xc002}", "origin": "172.26.107.9", "originsicname": "cn=cp_mgmt,o=gw-85322c.ubiin.tranet.work.mjnfac", "sequencenum": "2", "time": "1554209836", "version": "5", "__policy_id_tag": "product=VPN-1 & FireWall-1[db_tag={F1D5BFE9-0E2C-664D-9D4D-E76A490FFAD1};mgmt=gw-85322c;date=1552647946;policy_name=Standard]", "dst": "172.26.107.9", "inzone": "Internal", "layer_name": "Network", "layer_uuid": "e15c8ace-499c-4e10-ab00-9e6216313de0", "match_id": "1", "parent_rule": "0", "rule_action": "Accept", "rule_name": "Cleanup rule", "rule_uid": "29ea5f01-9f51-43a1-a7ac-702ecfb5b86a", "outzone": "Local", "product": "VPN-1 & FireWall-1", "proto": "6", "s_port": "58462", "service": "80", "service_id": "http", "src": "192.168.168.31"} - But I would like on add extra information like DNS hostname and geo information - As the fields (starting from field "action") are not parsed by rsyslog, I think I cannot "manipulate" / "match" them with Reinerscript (I think only the fields in upper case can be manipulated as they were parsed by the the default parser. (5424) If did understand i cannot do what i want?!?!? or, may be, I can: - 1. Reinject them in rsyslog and parse them with mmjsonparse? but it seems a waste of ressources to do it. (and how to do it?) - 2. Create a complete parser from scratch with liblognorm? but it seems to be a huge work and, as the fields can change it seems not a very effective solution Did I understand correctly ? Do you have suggestions? Regards Bruno ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
El mar., 2 abr. 2019 a las 14:54, Mauricio Tavares via rsyslog () escribió: > > Are the docs in a public git? Where can people ask for clarification > > about things before submitting (probably wrong) patch requests against > > the docs? > Adding to what was said, how about if we have somewhere a place > (wiki, git, clay tablets) for examples? There we could start with a > page for each example, say: This place already exists: https://github.com/rsyslog/rsyslog-doc There is an "Edit on GitHub" link on each and every doc page. If that one is clicked, it takes you exactly to the page in question. Please don't be shy to contribute. > > - Generic Linux > - Generic systemd vXYZ+ > - Generic talking to ESXi > - Windows > - SCO UNIX because there are masochists out there > - Android > - Generic having one server listening to traffic from other devices > - Dealing with old style logs > - Performance and network > - Getting logs from a Japanese talking toilet seat That's a great idea. I propose you create a page inside the doc project that holds links to the samples and then fill in samples. > What those starting points are is not important, but the point is > people can create a page as if asking "how to do this?" if generic > enough and others can come in and fill in if they know the answer, > which might mean whatever they can contribute. If the request is too > specific that could be answer by reading the other pages and spending > a few seconds (as in someone wanting others to do his homework), it > can be cheerfully ignored. The only way for us to know what people > need is for people to ask. Doc pages with just questions my sound strange, but it's also an interesting idea. I just wonder how to make more clear how to contribute - after all, the link is on each and every page and not too many folks seem to see it. Rainer > > > Greetings > > Marc > > > > -- > > - > > Marc Haber | "I don't trust Computers. They | Mailadresse im Header > > Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 > > Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 > > ___ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Tue, Apr 2, 2019 at 8:31 AM Marc Haber via rsyslog wrote: > > On Mon, Mar 25, 2019 at 10:14:09AM +0100, Rainer Gerhards wrote: > > We are glad to help with contributions. But it really is hard to write > > novice doc when you are an expert on that matter. I often don't even > > notice that some folks don't know this or that. > > I have been in that situation myself numerous times and can feel your > pain. > > I think that it would be nice if one would have for the most important > or even for all Properties / Input / Output / Filter modules a > as-simple-as-possible, but complete and working configuration that one > can throw at a rsyslog daemon and have it work. That would save people > from figuring out basic syntax issues which are usually the biggest > hurdle _I_ encounter in my personal experience when trying to learn a > new configuration format. But that might just be my personal style and > test. > > Other projects, for example, ship a very basic configuration, and then > one example configuration which is very complex, but working, so that > people can choose where to start and how to write their "things". > > For rsyslog, I can imagine having, in addition to the basic default > configuration in basic format, a functionally equivalent configuration > in advanced format, and one complex configuration with multiple > different inputs, different outputs, a complex buffer configuration etc > bla foo. > > And, in this new systemd world, I would love to see examples of > rsyslog-behind-journald and/or journald-behind-rsyslog which has been > the cause of major misunderstandings in my personal past. > > > Most doc is still done by me, most of the rest by other developers. > > Whenever users contributed doc, it was much better. > > Are the docs in a public git? Where can people ask for clarification > about things before submitting (probably wrong) patch requests against > the docs? > Adding to what was said, how about if we have somewhere a place (wiki, git, clay tablets) for examples? There we could start with a page for each example, say: - Generic Linux - Generic systemd vXYZ+ - Generic talking to ESXi - Windows - SCO UNIX because there are masochists out there - Android - Generic having one server listening to traffic from other devices - Dealing with old style logs - Performance and network - Getting logs from a Japanese talking toilet seat What those starting points are is not important, but the point is people can create a page as if asking "how to do this?" if generic enough and others can come in and fill in if they know the answer, which might mean whatever they can contribute. If the request is too specific that could be answer by reading the other pages and spending a few seconds (as in someone wanting others to do his homework), it can be cheerfully ignored. The only way for us to know what people need is for people to ask. > Greetings > Marc > > -- > - > Marc Haber | "I don't trust Computers. They | Mailadresse im Header > Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 > Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
On Mon, Mar 25, 2019 at 10:14:09AM +0100, Rainer Gerhards wrote: > We are glad to help with contributions. But it really is hard to write > novice doc when you are an expert on that matter. I often don't even > notice that some folks don't know this or that. I have been in that situation myself numerous times and can feel your pain. I think that it would be nice if one would have for the most important or even for all Properties / Input / Output / Filter modules a as-simple-as-possible, but complete and working configuration that one can throw at a rsyslog daemon and have it work. That would save people from figuring out basic syntax issues which are usually the biggest hurdle _I_ encounter in my personal experience when trying to learn a new configuration format. But that might just be my personal style and test. Other projects, for example, ship a very basic configuration, and then one example configuration which is very complex, but working, so that people can choose where to start and how to write their "things". For rsyslog, I can imagine having, in addition to the basic default configuration in basic format, a functionally equivalent configuration in advanced format, and one complex configuration with multiple different inputs, different outputs, a complex buffer configuration etc bla foo. And, in this new systemd world, I would love to see examples of rsyslog-behind-journald and/or journald-behind-rsyslog which has been the cause of major misunderstandings in my personal past. > Most doc is still done by me, most of the rest by other developers. > Whenever users contributed doc, it was much better. Are the docs in a public git? Where can people ask for clarification about things before submitting (probably wrong) patch requests against the docs? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] So difficult to make rsyslog to work
Hi David, On Mon, Mar 25, 2019 at 03:58:26AM -0700, David Lang wrote: > On Mon, 25 Mar 2019, Marc Haber via rsyslog wrote: > > On Thu, Feb 07, 2019 at 08:01:26AM +0800, 杨华杰 via rsyslog wrote: > > > Most of the tutorials I found on the internet are out of dated, and I have > > > found old syntax configuration are not supported anymore. > > we've been pretty good about maintaining backwards compatability,what > doesn't work at all? (as opposed to no longer being recommended)? When I spend time doing some special things with rsyslog, I want to do so with the "modern" way that is currently supported. I do not want to spend time with something that is "no longer recommemded" > I agree with the problems you outline. If you can write scenarios for us to > document, I can help create the configs to do things. As Rainer says, when > you get too experienced with something, it's hard to know what to document. > I've done a bit with examples in my ;login articles and would be happy to > write some configs and explain them. The problem is that I have difficulties with writing things right now. Do you have a wiki page that people could write their wishlist or reference configurations to? Or would you be ok with me writing private mail whenever I encounter something? My first wish would be like "the default configuration written in advanced format", so that one can start with a working configuration when one wants to write more sophisticated things without having to verify the basic things. Maybe it is even possible to have a program/script that will read a basic configuration and write the same thing in advanced format, so that one can do a smooth migration even if the basic style configuration has been already customized. I think that the explanations given in https://www.rsyslog.com/doc/v8-stable/configuration/conf_formats.html look like the right thing, but will probably lead to configurations being written in a mixture of basic and advanced format without knowing myself whether this is even possible at all. There is probably a point when it's simpler to maintain if one ditches the basic format completely and changes to a advanced format configuration. Currently, this step is risky, and it would be nice to have some help, either with a tool or with more explicit docs. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] [E] Re: Help with newer syntax a ruleset and forwarding
I use a similar config to forward from my servers. ruleset(name="linux_forward" queue.type="LinkedList" queue.filename="nlsFwdRule0" queue.maxDiskSpace="1g" queue.saveOnShutdown="on") { action(type="omfwd" target="2001:4888:a00:3154:f0:ff2:0:b01" protocol="udp" port="5544" resumeRetryCount="-1") } and it's called like that: if () then { call linux_forward stop } Flo On Mon, Apr 1, 2019 at 9:27 PM Gorman, Kevin via rsyslog < rsyslog@lists.adiscon.com> wrote: > For the moment, I've removed the app part of the configuration. Redhat > suggested changing action to the config that's below. Still, nothing is > forwarded, which is the sole purpose of the configuration. I'm trying to > use the rule to avoid repeating the IP address over and over as well as to > not use lots of files. > > I imagine I could use the earlier format and combine the files, so that's > not really a big issue. If it's better I'm not against just using the > earlier format. > > # cat rsyslog.all.conf > module(load="imfile" mode="inotify") > > global ( > parser.dropTrailingLFOnReception="on" > parser.escapeControlCharactersOnReceive="on" > workDirectory="/var/lib/rsyslog" > ) > > ruleset( > name="linux_forward" > queue.type="LinkedList" > queue.filename="nlsFwdRule0" > queue.maxDiskSpace="1g" > queue.saveOnShutdown="on" > ) { > action( > type="omfwd" > target="2001:4888:a00:3154:f0:ff2:0:b01"# VIP address of > logserver > protocol="udp" > port="5544" > #resumeRetryCount="-1" > ) > stop > } > > # cat rsyslog.linux.conf > > input( > type="imfile" > ruleset="linux_forward" > file="*.*" > escapeLF="on" > tag="syslog" > ) > > input( > type="imfile" > ruleset="linux_forward" > tag="ansible" > file="/var/log/ansible.log" > escapeLF="on" > ) > > input( > type="imfile" > ruleset="linux_forward" > tag="audit" > file="/var/log/audit/audit.log" > escapeLF="on" > ) > > ]# rsyslogd -N2 > rsyslogd: version 8.24.0-34.el7, config validation run (level 2), master > config /etc/rsyslog.conf > > 6396.163499269:main thread: debug level 2 set via config file > 6396.163515320:main thread: This is rsyslog version 8.24.0-34.el7 > 6396.163520128:main thread: config parser: reached end of file > /etc/rsyslog.d/rsyslog.debug.conf > 6396.163524390:main thread: config parser: resume parsing of file > /etc/rsyslog.d/rsyslog.linux.conf at line 1 > 6396.163531565:main thread: cnf:global:obj: obj: 'input' > 6396.163538048:main thread: nvlst 0x562f39069bb0: > 6396.163541541:main thread: name: 'tag', value 'syslog' > 6396.163545544:main thread: name: 'escapeLF', value 'on' > 6396.163549402:main thread: name: 'file', value '*.*' > 6396.163553221:main thread: name: 'ruleset', value > 'linux_forward' > 6396.163557231:main thread: name: 'type', value 'imfile' > 6396.163562884:main thread: nvlstGetParam: name 'type', type 14, > valnode->bUsed 0 > 6396.163566743:main thread: input param blk after inputProcessCnf: > 6396.163570295:main thread: type: 'imfile' > 6396.163579084:main thread: newInpInst (imfile) > 6396.163582949:main thread: nvlstGetParam: name 'file', type 14, > valnode->bUsed 0 > 6396.163586431:main thread: nvlstGetParam: name 'tag', type 14, > valnode->bUsed 0 > 6396.163590393:main thread: nvlstGetParam: name 'ruleset', type 14, > valnode->bUsed 0 > 6396.163594337:main thread: nvlstGetParam: name 'escapelf', type 4, > valnode->bUsed 0 > 6396.163598668:main thread: input param blk in imfile: > 6396.163601763:main thread: file: '*.*' > 6396.163609748:main thread: tag: 'syslog' > 6396.163617468:main thread: severity: (unset) > 6396.163625204:main thread: facility: (unset) > 6396.163632741:main thread: ruleset: 'linux_forward' > 6396.163640567:main thread: readmode: (unset) > 6396.163647878:main thread: startmsg.regex: (unset) > 6396.163655402:main thread: escapelf: 1 > 6396.163663156:main thread: reopenontruncate: (unset) > 6396.163670723:main thread: maxlinesatonce: (unset) > 6396.163678123:main thread: trimlineoverbytes: (unset) > 6396.163685535:main thread: maxsubmitatonce: (unset) > 6396.163693026:main thread: removestateondelete: (unset) > 6396.163700527:main thread: persiststateinterval: (unset) > 6396.163707941:main thread: deletestateonfiledelete: (unset) > 6396.163715616:main thread: addmetadata: (unset) > 6396.163723134:main thread: addceetag: (unset) > 6396.163730628:main thread: statefile: (unset) > 6396.163738023:main thread: readtimeout: (unset) > 6396.163745561:main thread: freshstarttail: (unset) > 6396.163753288:main thread: filenotfounderror: (unset) > 6396.163766549:main thread: imfile: adding file monitor for > '/etc/rsyslog.d/*.*' >