Hi there,
I ran into a strange issue with liblognorm when using user-defined types. Consider the following rulebase:
*testcase.rb*
-----------------------------------
version=2
prefix=<%-:number%>%-:number% %ts:word%
type=@no_val:%id:string{"matching.permitted":[ {"chars":"-"}]}%
rule=alt1:%host:word% %log_type:char-sep:\x3a%:%remote_host:char-sep:\x3a%:%app_name:alpha%:%user:char-sep:\x3a%:%msg_id:number%:%event:char-to:\x3a%:%entity:char-sep:\x3a%:%message:rest%
rule=alt2:%host:word% %app_name:word% %process:@no_val% %msg:word% %structured_data:char-to: %%-:whitespace%%msgid:number%%message:rest%
-----------------------------------
Now when testing the sample as shown below, the entry is marked unparsable:
*test1*
-----------------------------------
echo "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" | /usr/lib/lognorm/lognormalizer -r testcase.rb -U
{ "originalmsg": "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP", "unparsed-data": "00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" }
1 unparsable entries
-----------------------------------
The strange thing here is that the sample is well parsable by the second rule. When the first rule is removed, it works as expected:
*test2*
-----------------------------------
echo "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" | /usr/lib/lognorm/lognormalizer -r testcase.rb -U
{ "message": " 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP", "msgid": "1234", "structured_data": "-", "msg": "-", "process": { "id": "-" }, "app_name": "APP", "host": "192.168.0.2", "ts": "2019-01-01T00:00:00.00" }
-----------------------------------
It also works when replacing %process:@no_val% by a type which is not user-defined, i.e. %process:word%. I would expect that the second rule is evaluated in any case if the first one does not match. Is this a possible bug?
I'm using the latest liblognorm release v2.0.6 on Ubuntu 16.04
Thank you in advance
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I ran into a strange issue with liblognorm when using user-defined types. Consider the following rulebase:
*testcase.rb*
-----------------------------------
version=2
prefix=<%-:number%>%-:number% %ts:word%
type=@no_val:%id:string{"matching.permitted":[ {"chars":"-"}]}%
rule=alt1:%host:word% %log_type:char-sep:\x3a%:%remote_host:char-sep:\x3a%:%app_name:alpha%:%user:char-sep:\x3a%:%msg_id:number%:%event:char-to:\x3a%:%entity:char-sep:\x3a%:%message:rest%
rule=alt2:%host:word% %app_name:word% %process:@no_val% %msg:word% %structured_data:char-to: %%-:whitespace%%msgid:number%%message:rest%
-----------------------------------
Now when testing the sample as shown below, the entry is marked unparsable:
*test1*
-----------------------------------
echo "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" | /usr/lib/lognorm/lognormalizer -r testcase.rb -U
{ "originalmsg": "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP", "unparsed-data": "00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" }
1 unparsable entries
-----------------------------------
The strange thing here is that the sample is well parsable by the second rule. When the first rule is removed, it works as expected:
*test2*
-----------------------------------
echo "<189>1 2019-01-01T00:00:00.00 192.168.0.2 APP - - - 1234 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP" | /usr/lib/lognorm/lognormalizer -r testcase.rb -U
{ "message": " 2019-01-01 00:00:00.00 LOGOUT: USER=FOO, ACCESS=LOCAL, PROTOCOL=SNMP", "msgid": "1234", "structured_data": "-", "msg": "-", "process": { "id": "-" }, "app_name": "APP", "host": "192.168.0.2", "ts": "2019-01-01T00:00:00.00" }
-----------------------------------
It also works when replacing %process:@no_val% by a type which is not user-defined, i.e. %process:word%. I would expect that the second rule is evaluated in any case if the first one does not match. Is this a possible bug?
I'm using the latest liblognorm release v2.0.6 on Ubuntu 16.04
Thank you in advance
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.