Jonathan Greig
Jonathan Greig
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html lists thirteen different default templates. Two are already supported by Plaso and six didn't seem to work in my testing VM (Debian 10, rsyslog v8.1901.0): | Format Name |...
RSYSLOG_SysklogdFileFormat appears similar enough that the existing parser for RSYSLOG_TraditionalFileFormat can parse, compare: ``` template(name="RSYSLOG_TraditionalFileFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n") ``` with: ``` template(name="RSYSLOG_SysklogdFileFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%\n") ```
Changing back to draft - have a few changes to make.
Hi Alexander, thanks for this PR but Juan is correct that the Cloudtrail log parser is designed for logs saved in JSON-L format and your changes seem to change the...
Please see comments on related PR #4187 - This parser is designed for logs saved in JSON-L format.
I didn't add the debug format or any formats which weren't actually supported by rsyslog (despite the documentation saying they were). | Format name | Status | |-|-| | RSYSLOG_DebugFormat...
Closing - the additional formats in the spec don't actually seem to be supported by rsyslog. - See https://github.com/log2timeline/plaso/issues/3012#issuecomment-1350228934