Re: [rsyslog] R: Re: R: Re: R: Re: received json log format

Tue, 07 Mar 2023 22:19:51 -0800 

On Tue, 7 Mar 2023, amaury--- via rsyslog wrote:


Hello
I have modified my template to have a "real" json lofg format
ruleset( name="udp-netlogs-tool"){
        reset $.mstoredir = "/data/logs";
        set $!log2json = replace( $msg, "=", ":");
        set $!msg = replace( $!log2json, " LogRecord ", "");


what does a DebugFormat output look like at this point


        #action( name="normalize" useRawMsg="off" type="mmnormalize" 
rulebase="/etc/rsyslog.d/rulebase.rb" path="$!logrecord" 
variable="$!msg")
        #action( name="normalize" useRawMsg="off" type="mmnormalize" 
rulebase="/etc/rsyslog.d/rulebase.rb" path="$!logrecord" )
        action( name="normalize" useRawMsg="off" type="mmnormalize" 
rulebase="/etc/rsyslog.d/rulebase.rb")
        #action(type="mmnormalize" useRawMsg="off" 
rulebase="/etc/rsyslog.d/rulebasetool.rb" path="$!normalized_msg" 
variable="$!logrecord")
        action(type="mmnormalize" useRawMsg="off" 
rule=["rule=:%clienIp:ipv4%"]  )



what are the various rb files, and what is the debugformat output after 
attempting the parse



Now $msg it's: "msg": "{id:'null', date:1678183203520, 
applicationInstanceId....inboundBytes:null, outboundBytes:null}",


this sounds like what $!msg should look like after the manipulations above


and $! it's: "log2json": " LogRecord {id:'null', 
date:1678186740986...inboundBytes:null, outboundBytes:null}",


This matches what I would expect form the section above


I try to use rulebasejsape.rb:

rule=:%id:char-to%:, %date:date-rfc3164%, 
%applicationInstanceId:char-to:,%, %domainName:word%, %serverIp:ipv4%, 
%serverPort:number%, %clientIp:ipv4%, %clientPort:number%, 
%sessionId:char-to:,%, %username:word%, %clientRequest:char-to:,%, 
%clientMessage:char-to:,%, %serverStatus:char-to:,%, 
%serverMessage:char-to:,%, %inboundBytes:number%, %outboundBytes:number%

but when I use this one the rsyslog generate a coredump...



what is the config where you tried to use this? does it coredump when it loads, 
or when you get the first message that matches?



         Hello
 I try debugging with


 with: action( name="normalize" type="mmnormalize" useRawMsg="off" 
rulebase="/etc/rsyslog.d/rulebase.rb" path="$.logrecord" )

 Debug line with all properties:


what exactly was rulebase.rb when you tried this?


 msg: ' LogRecord {id='null', date=1677831520K226, 
applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269', 
domainName='public', serverIp='yyy.yyy.yyy.yyy', serverPort=2222, 
clientIp='hhh.hhh.hhh.hhh', clientPort=50748, 
sessionId='6233bbbf-dda9-4627-b4b0-8b65012a5564', username='user02', 
clientRequest='null', clientMessage='null', serverStatus='session 
closed', serverMessage='SFTP/SCP', inboundBytes=null, 
outboundBytes=null}'


when you have userawmsg off, this is what you are parsing


rawmsg: '<14>Mar 3 09:18:40 xxx.xxx.xxx.xxx TOOL: LogRecord {id='null', 
date=1677831520226, 
applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269', 
domainName='public', serverIp='yyy.yyy.yyy.yyy', serverPort=2222, 
clientIp='hhh.hhh.hhh.hhh', clientPort=50748, 
sessionId='6233bbbf-dda9-4627-b4b0-8b65012a5564', username='user02', 
clientRequest='null', clientMessage='null', serverStatus='session closed', 
serverMessage='SFTP/SCP', inboundBytes=null, outboundBytes=null}'


if you were to parse the rawmsg, this is what you are seeing

neither of these match your rulebasejsape.rb you list above



"=logrecord": { "originalmsg": " LogRecord {id='null', date=1677831520226, 
applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269', 
domainName='public', serverIp='yyy.yyy.yyy.yyy', serverPort=2222, 
clientIp='hhh.hhh.hhh.hhh', clientPort=50748, 
sessionId='6233bbbf-dda9-4627-b4b0-8b65012a5564', username='user02', 
clientRequest='null', clientMessage='null', serverStatus='session closed', 
serverMessage='SFTP\/SCP', inboundBytes=null, outboundBytes=null}",




"unparsed-data": "{id='null', date=1677831520226, 
applicationInstanceId='5fc42f05-36ab-45ff-908d-e7b978a88269', 
domainName='public', serverIp='yyy.yyy.yyy.yyy', serverPort=2222, 
clientIp='hhh.hhh.hhh.hhh', clientPort=50748, 
sessionId='6233bbbf-dda9-4627-b4b0-8b65012a5564', username='user02', 
clientRequest='null', clientMessage='null', serverStatus='session closed', 
serverMessage='SFTP\/SCP', inboundBytes=null, outboundBytes=null}" } }



This section says that your rulebase is using the name '=logrecord' which seems 
unintended.


the unparsed-data field is showing where it broke in parsing the message


David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

























					Reply via email to