Thanks David. I figured it out: $Ruleset loggercef :syslogtag, isequal, "CEF:" ?cefdynfile
Now I have a clean folder structure. On Wed, Jun 5, 2013 at 1:36 PM, David Lang <[email protected]> wrote: > On Wed, 5 Jun 2013, Xuri Nagarin wrote: > > I am receiving logs from a sender in CEF format delimited by the pipe >> character. >> >> I need to output logs to folder structure by splitting each line by the >> pipe delimited and creating a folder structure such as >> "/var/log/field2/field3/**logfile". Field 2 is vendor and field 3 is >> product >> (Example, Vendor: Cisco, Product: ASA). >> >> So I wrote this template: >> $template cefdynfile,"/var/log/cef/%msg:**F,124:2:%/%msg:F,124:3%/** >> logfile" >> >> However, what I am seeing is that the directories creates by this template >> include other fields that are part of the log message and aren't unique. >> >> I am sure the messages are coming in fine and not mangled because if I >> write a similar parser in syslog-ng (that I am trying to replace with >> rsyslog), the directory structure comes out clean. >> >> I suspect there is an issue with how rsyslog handles control characters >> and >> ascii codes. >> >> What would be the best way to split a log message by the pipe char and >> ensure sanity of the resulting token? >> >> I am running the stock rsyslog distributed with CentOS6 - 5.8.10-6. >> > > 5.8 is rather old right now (7.4 is nearing release) > > without seeing the logs it's going to be pretty hard for us to figure out > what's going on. Rsyslog does escape control characters by default, but it > escapes them into #xxx sequences. > > Please log some of these messages with the format RSYSLOG_DebugFormat and > then send a sample log that's misbehaving. > > The template you are using matches what I would setup. > > David Lang > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
