Mailing List Archive

Rule
rule=:time=%time:time-24hr% devname=%devname:word% devid=%devid:word% logid=%logid:number% type=%type:word% subtype=%subtype:word% level=%level:word% vd=%vd:word% eventtime=%eventtime:number% srcip=%srcip:ipv4% srcport=%srcport:number% srcintf=%srcintf:word% srcintfrole=%srcintfrole:word% dstip=%dstip:ipv4% dstport=%dstport:number% dstintf=%dstintf:word% dstintfrole=%dstintfrole:word% sessionid=%sessionid:number% proto=%proto:number% action=%action:word% policyid=%policyid:number% policytype=%policytype:word% service=%service:word% dstcountry=%dstcountry:word% srccountry=%srccountry:word% trandisp=%trandisp:word% app=%app:word% duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% appcat=%appcat:word% crscore=%crscore:number% craction=%craction:number% crlevel=%crlevel:word% devtype=%devtype;word% mastersrcmac=%mastersrcmac:word% srcmac=%srcmac:word% srcserver=%srcserver:number%



output
$!:{ "originalmsg": " time=09:05:01 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562166301 srcip=10.18.66.10 srcport=35343 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=42605383 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=74 rcvdbyte=182 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00
:0c:29:30:e8:bd\" dstmac=\"00:0c:29:30:e8:bd\" dstserver=1", "unparsed-data": " time=09:05:01 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562166301 srcip=10.18.66.10 srcport=35343 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=42605383 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=74 rcvdbyte=182 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00:0c:29:30:e8:bd\
" dstmac=\"00:0c:29:30:e8:bd\" dstserver=1" }




________________________________
From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Jason Prouty via rsyslog <rsyslog@lists.adiscon.com>
Sent: Tuesday, July 2, 2019 6:05 PM
To: rsyslog@lists.adiscon.com
Cc: Jason Prouty
Subject: [rsyslog] rule help

I am trying to parse a log file

I have tried several iterations to get my rule to work

The time is hr:min:sec


how should the rule be on this?



"unparsed-data": " time=15:54:37 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562104477 srcip=10.18.66.10 srcport=47292 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=40256898 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=68 rcvdbyte=227 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00:0c:29:30:e8:bd\" dstmac=\"00:0c:29:30:e8:bd\" dstserver=1" }



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

This is an easy one, your message starts with a space and your rule does not, so
the rule does not match the message.

when this happens, look at unparsed-data, that is the part of the message that
didn't match any rule.

David Lang

On Wed, 3 Jul 2019, Jason Prouty via rsyslog wrote:

> Date: Wed, 3 Jul 2019 15:09:59 +0000
> From: Jason Prouty via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Jason Prouty <jprouty@cctus.com>
> Subject: Re: [rsyslog] rule help
>
>
> Rule
> rule=:time=%time:time-24hr% devname=%devname:word% devid=%devid:word% logid=%logid:number% type=%type:word% subtype=%subtype:word% level=%level:word% vd=%vd:word% eventtime=%eventtime:number% srcip=%srcip:ipv4% srcport=%srcport:number% srcintf=%srcintf:word% srcintfrole=%srcintfrole:word% dstip=%dstip:ipv4% dstport=%dstport:number% dstintf=%dstintf:word% dstintfrole=%dstintfrole:word% sessionid=%sessionid:number% proto=%proto:number% action=%action:word% policyid=%policyid:number% policytype=%policytype:word% service=%service:word% dstcountry=%dstcountry:word% srccountry=%srccountry:word% trandisp=%trandisp:word% app=%app:word% duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% appcat=%appcat:word% crscore=%crscore:number% craction=%craction:number% crlevel=%crlevel:word% devtype=%devtype;word% mastersrcmac=%mastersrcmac:word% srcmac=%srcmac:word% srcserver=%srcserver:number%
>
>
>
> output
> $!:{ "originalmsg": " time=09:05:01 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562166301 srcip=10.18.66.10 srcport=35343 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=42605383 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=74 rcvdbyte=182 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00
> :0c:29:30:e8:bd\" dstmac=\"00:0c:29:30:e8:bd\" dstserver=1", "unparsed-data": " time=09:05:01 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562166301 srcip=10.18.66.10 srcport=35343 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=42605383 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=74 rcvdbyte=182 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00:0c:29:30:e8:b
d\
> " dstmac=\"00:0c:29:30:e8:bd\" dstserver=1" }
>
>
>
>
> ________________________________
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> on behalf of Jason Prouty via rsyslog <rsyslog@lists.adiscon.com>
> Sent: Tuesday, July 2, 2019 6:05 PM
> To: rsyslog@lists.adiscon.com
> Cc: Jason Prouty
> Subject: [rsyslog] rule help
>
> I am trying to parse a log file
>
> I have tried several iterations to get my rule to work
>
> The time is hr:min:sec
>
>
> how should the rule be on this?
>
>
>
> "unparsed-data": " time=15:54:37 devname=\"CSPCFW01-M\" devid=\"FG3H0E5818903304\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" eventtime=1562104477 srcip=10.18.66.10 srcport=47292 srcintf=\"VLAN66\" srcintfrole=\"lan\" dstip=10.18.70.228 dstport=53 dstintf=\"VLAN714\" dstintfrole=\"lan\" poluuid=\"c90ba4ee-fd82-51e8-1c37-dcd8078e44b8\" sessionid=40256898 proto=17 action=\"accept\" policyid=5 policytype=\"policy\" service=\"DNS\" dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=\"noop\" duration=180 sentbyte=68 rcvdbyte=227 sentpkt=1 rcvdpkt=1 appcat=\"unscanned\" devtype=\"Unknown\" unauthuser=\"admin\" unauthusersource=\"kerberos\" mastersrcmac=\"00:0c:29:eb:3d:87\" srcmac=\"00:0c:29:eb:3d:87\" srcserver=1 dstdevtype=\"Linux PC\" dstosname=\"Linux\" dstosversion=\"3.10.0-957. (x64)\" dstunauthuser=\"admin\" dstunauthusersource=\"kerberos\" masterdstmac=\"00:0c:29:30:e8:bd\" dstmac=\"00:0c:29:30:e8:bd\" dstserver=1" }
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.