help with Repeat/Tokenized

Forum for everything related to liblognorm.

Moderator: rgerhards

Google Ads

help with Repeat/Tokenized

Postby danduartes » Wed Sep 06, 2017 8:49 am


I've been playing with rsyslog and liblognorm for a few weeks and got struggle with a scenario where, for the sake of searching over my audit logs, i needed to tokenize a URI.
What I intend to do:
Simplified Input:
Code: Select all
WafYlzUwmlezD0zXPuObVwAAAAA /path/to/my/resouce 405

Code: Select all
rule=:%entryid:word% /%
        {"name":"uri", "type":"repeat",
                       {"type":"word", "name":"." }
                       {"type":"literal", "text":"/"}
         }% %responsestatus:number%

However, this outputs as:
Code: Select all
{ "responsestatus": "405", "uri": [ "path\/to\/my\/resouce" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }

Expected output:
Code: Select all
{ "responsestatus": "405", "uri": [ "path", "to", "my", "resource" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }

At first i thought it was the separator I'm using and tried a lot of different characters. they all failed the same way.

The thing is, I followed the repeat example from liblognorm to build this rule, and it works perfectly with "type":"number".
Same rule as before, just changing the parser to:
Code: Select all
"parser":[{"type":"number", "name":"." }]

Code: Select all
WafYlzUwmlezD0zXPuObVwAAAAA /123/456/789/1354/6857/6879/546 405

Code: Select all
{ "responsestatus": "405", "uri": [ "123", "456", "789", "1354", "6857", "6879", "546" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }

I tried other types as well, but without success as well... I hope someone can help me out on this one...
Posts: 1
Joined: Wed Sep 06, 2017 8:23 am

Google Ads

Return to liblognorm

Who is online

Users browsing this forum: No registered users and 0 guests