我正在尝试使用Rsyslog和Liblognorm 1.1.2标准化日志。以下是示例日志。
device =“ DFW” date = 2018-10-22 time = 09:47:54 timezone =“ + 0500” device_name =“ XG135w” device_id = C1B2A74WA2X6C6F log_id = 010101600001 log_type =“防火墙” log_component =“防火墙规则” log_subtype =“允许” status =“允许”优先级=信息持续时间= 30 fw_rule_id = 1 policy_type = 1 user_name =“” user_gp =“” iap = 0 ips_policy_id = 0 appfilter_policy_id = 0 application =“ DNS” application_risk = 1 application_technology =“网络协议” application_category =“基础架构” in_interface =“端口1” out_interface =“ Port3” src_mac = 00:0:00:0:00:0 0 src_ip = 172.16.0.1 src_country_code = R1 dst_ip = 8.8.4.4 dst_country_code =美国协议=“ UDP” src_port = 12824 dst_port = 53 sent_pkts = 1 recv_pkts = 1 sent_bytes = 79 recv_bytes = 107 tran_src_ip = 20.55.69.72 tran_src_port = 0 tran_dst_ip = tran_dst_port = 0 srczonetype =“ LAN” srczone =“ LAN” dstzonetype =“ WAN” dstzone =“ WAN” dir_disp =“” connevent =“停止” connid =“ 7456740608” vconnid =“” hb_health =“无心跳”消息=“” appresolvedby =“ Signature” app_is_cloud = 0
据我所知,使用liblognorm编写的规则需要使输入的日志单词与单词匹配。我知道我可以使用“%-:rest”从某个点跳到日志结尾。但是我希望能够跳过日志的中间部分,然后继续为其余日志编写规则。这可能吗?任何帮助将被申请。谢谢。