Use this documentation with care! It describes
the outdated version 7, which was actively
developed around 2014 and is considered dead by the
This documentation reflects the latest update of the v7-stable branch. It describes the 7.6.8 version, which was never released. As such, it contains some content that does not apply to any released version.
To obtain the doc that properly matches your installed v7 version, obtain the doc set from your distro. Each version of rsyslog contained the version that exactly matches it.
As general advise, it is strongly suggested to upgrade to the current version supported by the rsyslog project. The current version can always be found on the right-hand side info box on the rsyslog web site.
Note that there is only limited rsyslog community support available for the outdated v7 version (officially we do not support it at all, but we usually are able to answer simple questions). If you need to stick with v7, it probably is best to ask your distribution for support.
Log Message Normalization Module¶
Module Name: mmnormalize
Available since: 6.1.2+
Author: Rainer Gerhards <email@example.com>
This module provides the capability to normalize log messages via liblognorm. Thanks to liblognorm, unstructured text, like usually found in log messages, can very quickly be parsed and put into a normal form. This is done so quickly, that it should be possible to normalize events in realtime.
This module is implemented via the output module interface. This means that mmnormalize should be called just like an action. After it has been called, the normalized message properties are available and can be accessed. These properties are called the “CEE/lumberjack” properties, because liblognorm creates a format that is inspired by the CEE/lumberjack approach.
Please note: CEE/lumberjack properties are different from regular properties. They have always “$!” prepended to the property name given in the rulebase. Such a property needs to be called with %$!propertyname%.
Note that mmnormalize should only be called once on each message. Behaviour is undefined if multiple calls to mmnormalize happen for the same message.
- ruleBase [word] Specifies which rulebase file is to use. If there are multiple mmnormalize instances, each one can use a different file. However, a single instance can use only a single file. This parameter MUST be given, because normalization can only happen based on a rulebase. It is recommended that an absolute path name is given. Information on how to create the rulebase can be found in the liblognorm manual.
- useRawMsg [boolean] Specifies if the raw message should be used for normalization (on) or just the MSG part of the message (off). Default is “off”.
Legacy Configuration Directives:
- $mmnormalizeRuleBase <rulebase-file> - equivalent to the “ruleBase” parameter.
- $mmnormalizeUseRawMsg <on/off> - equivalent to the “useRawMsg” parameter.
- First steps for mmnormalize
- Log normalization and special characters
- Log normalization and the leading space
- Using mmnormalize effectively with Adiscon LogAnalyzer
None known at this time.
This activates the module and applies normalization to all messages:
module(load="mmnormalize") action(type="mmnormalize" ruleBase="/path/to/rulebase.rb")
The same in legacy format:
$ModLoad mmnormalize $mmnormalizeRuleBase /path/to/rulebase.rb *.* :mmnormalize: