doc: improved normalization sample conf

2025-12-21 02:00:42 +01:00 · 2013-02-10 17:00:44 +01:00 · 2013-02-10 17:00:44 +01:00 · edf0765bde
commit edf0765bde
parent 2da01aa019
1 changed files with 59 additions and 24 deletions
--- a/doc/confsamples/normalization.conf
+++ b/doc/confsamples/normalization.conf
@ -1,6 +1,11 @@
 # this is a config sample for log normalization, but can
 # be used as a more complex general sample.
 # It is based on a plain standard rsyslog.conf for Red Hat systems.
+# 
+# NOTE: Absolute path names for modules are used in this config
+# so that we can run a different rsyslog version alongside the
+# regular system-installed rsyslogd. Remove these path names
+# for production environment.

 #### MODULES ####

@ -12,21 +17,19 @@ module(load="/home/rger/proj/rsyslog/plugins/imtcp/.libs/imtcp")
 module(load="/home/rger/proj/rsyslog/plugins/mmjsonparse/.libs/mmjsonparse")
 module(load="/home/rger/proj/rsyslog/plugins/mmnormalize/.libs/mmnormalize")

-# We assume to have all UDP logging (for simplicity)
-#input(type="imudp" port="13514" Ruleset="struclog")
+/* We assume to have all TCP logging (for simplicity)
+ * Note that we use different ports to point different sources
+ * to the right rule sets for normalization. While there are
+ * other methods (e.g. based on tag or source), using multiple
+ * ports is both the easiest as well as the fastest.
+ */
 input(type="imtcp" port="13514" Ruleset="WindowsRsyslog")
 input(type="imtcp" port="13515" Ruleset="LinuxPlainText")
-#input(type="imtcp" port="13516" Ruleset="struclog3")
+input(type="imtcp" port="13516" Ruleset="WindowsSnare")

 #debug:
 action(type="omfile" file="/home/rger/proj/rsyslog/logfile")

-# Provides TCP syslog reception
-# for parameters see http://www.rsyslog.com/doc/imtcp.html
-#module(load="imtcp") # needs to be done just once
-#input(type="imtcp" port="514")
-
-
 /* This ruleset handles structured logging.
 * It is the only one ever called for remote machines
 * but executed in addition to the standard action for
@ -49,7 +52,32 @@ ruleset(name="WindowsRsyslog") {
 			set $!usr!type = "logon";
 		set $!usr!rcvdfrom = $!source;
 		set $!usr!rcvdat = $timereported;
-		set $!usr!user = $!TargetUserName;
+		set $!usr!user = $!TargetDomainName & "\\" & $!TargetUserName;
+		call outwriter
+	}
+}
+
+/* This handles clumsy snare format. Note that "#011" are
+ * the escape sequences for tab chars used by snare.
+ */
+ruleset(name="WindowsSnare") {
+	set $!usr!type = field($rawmsg, "#011", 6);
+	if $!usr!type == 4634 then {
+		set $!usr!type = "logoff";
+		set $!doProces = 1;
+	} else if $!usr!type == 4624 then {
+		set $!usr!type = "logon";
+		set $!doProces = 1;
+	} else
+		set $!doProces = 0;
+	if $!doProces == 1 then {
+		set $!usr!rcvdfrom = field($rawmsg, 32, 4);
+		set $!usr!rcvdat = field($rawmsg, "#011", 5);
+		/* we need to fix up the snare date */
+		set $!usr!rcvdat = field($!usr!rcvdat, 32, 2) & " " &
+				   field($!usr!rcvdat, 32, 3) & " " &
+				   field($!usr!rcvdat, 32, 4);
+		set $!usr!user = field($rawmsg, "#011", 8);
 		call outwriter
 	}
 }
@ -73,8 +101,6 @@ ruleset(name="LinuxPlainText") {
 	}
 }

-# uleset(name="struclog3")  { }
-
 /* with CSV, we the reader must receive information on the
 * field names via some other method (e.g. tool configuration,
 * prepending of a header to the written CSV-file). All of
@ -91,23 +117,33 @@ template(name="csv" type="list") {
 	property(name="$!usr!type" format="csv")
 	constant(value="\n")
 }
-#template(name="cee" type="subtree" subtree="$!usr")
+
+/* template for Lumberjack-style logging. Note that the extra
+ * LF at the end is just for wrinting it to file - it MUST NOT
+ * be included for messages intended to be sent to a remote system.
+ * For the latter use case, the syslog header must also be prepended,
+ * something we have also not done for simplicity (as we write to files).
+ * Note that we use a JSON-shortcut: If a tree name is specified, JSON
+ * for its whole subtree is generated. Thus, we only need to specify the
+ * $!usr top node to get everytihing we need.
+ */
 template(name="cee" type="string" string="@cee: %$!usr%\n")


 /* this ruleset simulates forwarding to the final destination */
 ruleset(name="outwriter"){
-	action(type="omfile" file="/home/rger/proj/rsyslog/logfile.csv" template="csv")
-	action(type="omfile" file="/home/rger/proj/rsyslog/logfile.cee" template="cee")
+	action(type="omfile"
+               file="/home/rger/proj/rsyslog/logfile.csv" template="csv")
+	action(type="omfile"
+               file="/home/rger/proj/rsyslog/logfile.cee" template="cee")
 }


-############################ end test/remove ############################
-#call struclog
-#stop
-############################ end test/remove ############################
-
-/* below is just the usual "uninteresting" stuff... */
+/* below is just the usual "uninteresting" stuff...
+ * Note that this goes into the default rule set. So 
+ * local logging is handled "as usual" without the need
+ * for any extra effort.
+ */


 #### GLOBAL DIRECTIVES ####
@ -116,6 +152,8 @@ ruleset(name="outwriter"){
 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

 # Include all config files in /etc/rsyslog.d/
+# commented out not to interfere with the system rsyslogd
+# (just for this test configuration!)
 #$IncludeConfig /etc/rsyslog.d/*.conf


@ -147,6 +185,3 @@ uucp,news.crit                                          /var/log/spooler

 # Save boot messages also to boot.log
 local7.*                                                /var/log/boot.log
-
-# now do the structured log processing
-#call struclog