liblognorm
liblognorm copied to clipboard
rsyslog
Unable to use 'alternative'
Hi
Having many issues trying to make alternative work. Depending on the config it complain with different messages. Examples below.
/usr/lib/lognorm/lognormalizer -V
lognormalizer version: 2.0.2
liblognorm version: 2.0.2
advanced stats: not available
example 1
version=2
rule=:%[
{"type":"alternative","parser":[
{"type":"literal", "text":"a"},
{"type":"literal", "text":"b"}
]},
{"type":"literal", "text":"c"}]%
echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[8]: invalid field type 'alternative' { "originalmsg": "a", "unparsed-data": "a" }
example 2
version=2
rule=:%[
{"type":"alternative","parser":[
{"type":"literal", "text":"a"},
{"type":"literal", "text":"b"}
]},
{"type":"literal", "text":"c"}
]%
echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[10]: invalid record type detected: ']%' { "originalmsg": "a", "unparsed-data": "a" }
example 3
version=2
rule=:%[
{"type":"alternative","parser":[
{"type":"literal", "text":"a"}
]},
{"type":"literal", "text":"c"}
]%
echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[9]: invalid record type detected: ']%' { "originalmsg": "a", "unparsed-data": "a" }
Hmm...I'm wondering why
version=2
rule=:%[
{"type":"literal", "text":"a"},
{"type":"alternative",
"parser":[
{"type":"literal", "text":"b"},
{"type":"literal", "text":"c"}
]
},
{"type":"literal", "text":"d"}
]%
results in:
echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb
liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[13]: invalid record type detected: ']%'
{ "originalmsg": "a", "unparsed-data": "a" }
while
version=2
rule=:%[
{"type":"literal", "text":"a"},
{"type":"alternative",
"parser":[
{"type":"literal", "text":"b"},
{"type":"literal", "text":"c"}
]
},
{"type":"literal", "text":"d"}
]%
# foo
results in:
echo "a" | /usr/lib/lognorm/lognormalizer -r /etc/rsyslog.d/apps/rb/_a.rb
liblognorm error: rulebase file /etc/rsyslog.d/apps/rb/_a.rb[12]: invalid field type 'alternative'
{ "originalmsg": "a", "unparsed-data": "" }
(both configuration files have a blank line at the end)
This is actually a bug during rulebase processing. The "alternative" parser is checked at a location, where it's use as given here is not properly detected. It takes "a little bit of thinking" to correct this. An easy workaround is to not use it in an array. For example like this:
version=2
rule=:%
{"type":"alternative","parser":[
{"type":"literal", "text":"a"},
{"type":"literal", "text":"b"}
]}%%
{"type":"literal", "text":"c"}%
Any hints how to work around the issue for this example
rule=torque:%[
{"type": "char-to", "extradata":";" },
{"type": "literal", "text": ";E;" },
{"type": "char-to", "name": "jobid", "extradata": ";" },
{"type": "literal", "text": ";" },
{"type": "repeat", "name": "info",
"parser": [{
"type": "alternative",
"parser": [
[ {"type": "literal", "text": "group=" }, {"type": "word", "name":"group" } ],
[ {"type": "literal", "text": "user=" }, {"type": "word", "name":"user" } ]
]
}],
"while": [ { "type": "literal", "text": " "} ]
}
]%
Attempting to use alternative inside repeat like @itkovian's example led to the below error:
liblognorm error: rulebase file: invalid field type 'alternative' liblognorm error: rulebase file: repeat parser needs 'parser','while' parameters Segmentation fault
