help with Repeat/Tokenized

Forum for everything related to liblognorm.

Moderator: rgerhards

Google Ads


help with Repeat/Tokenized

Postby danduartes » Wed Sep 06, 2017 8:49 am

Hi,

I've been playing with rsyslog and liblognorm for a few weeks and got struggle with a scenario where, for the sake of searching over my audit logs, i needed to tokenize a URI.
What I intend to do:
Simplified Input:
Code: Select all
WafYlzUwmlezD0zXPuObVwAAAAA /path/to/my/resouce 405


rule:
Code: Select all
version=2
rule=:%entryid:word% /%
        {"name":"uri", "type":"repeat",
            "parser":[
                       {"type":"word", "name":"." }
                     ],
            "while":[
                       {"type":"literal", "text":"/"}
                    ]
         }% %responsestatus:number%


However, this outputs as:
Code: Select all
{ "responsestatus": "405", "uri": [ "path\/to\/my\/resouce" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }


Expected output:
Code: Select all
{ "responsestatus": "405", "uri": [ "path", "to", "my", "resource" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }


At first i thought it was the separator I'm using and tried a lot of different characters. they all failed the same way.

The thing is, I followed the repeat example from liblognorm to build this rule, and it works perfectly with "type":"number".
Same rule as before, just changing the parser to:
Code: Select all
"parser":[{"type":"number", "name":"." }]

In:
Code: Select all
WafYlzUwmlezD0zXPuObVwAAAAA /123/456/789/1354/6857/6879/546 405

out:
Code: Select all
{ "responsestatus": "405", "uri": [ "123", "456", "789", "1354", "6857", "6879", "546" ], "entryid": "WafYlzUwmlezD0zXPuObVwAAAAA" }


I tried other types as well, but without success as well... I hope someone can help me out on this one...
danduartes
New
 
Posts: 1
Joined: Wed Sep 06, 2017 8:23 am

Google Ads


Return to liblognorm

Who is online

Users browsing this forum: No registered users and 2 guests

cron