On Wed, 5 Jun 2013, Xuri Nagarin wrote:
I am receiving logs from a sender in CEF format delimited by the pipe
character.
I need to output logs to folder structure by splitting each line by the
pipe delimited and creating a folder structure such as
"/var/log/field2/field3/logfile". Field 2 is vendor and field 3 is product
(Example, Vendor: Cisco, Product: ASA).
So I wrote this template:
$template cefdynfile,"/var/log/cef/%msg:F,124:2:%/%msg:F,124:3%/logfile"
However, what I am seeing is that the directories creates by this template
include other fields that are part of the log message and aren't unique.
I am sure the messages are coming in fine and not mangled because if I
write a similar parser in syslog-ng (that I am trying to replace with
rsyslog), the directory structure comes out clean.
I suspect there is an issue with how rsyslog handles control characters and
ascii codes.
What would be the best way to split a log message by the pipe char and
ensure sanity of the resulting token?
I am running the stock rsyslog distributed with CentOS6 - 5.8.10-6.
5.8 is rather old right now (7.4 is nearing release)
without seeing the logs it's going to be pretty hard for us to figure out what's
going on. Rsyslog does escape control characters by default, but it escapes them
into #xxx sequences.
Please log some of these messages with the format RSYSLOG_DebugFormat and then
send a sample log that's misbehaving.
The template you are using matches what I would setup.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
