<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>hi,
<br>
<br>It seems you are receiving those messages via no-parse flag, or something like udp() source driver.
<br>
<br>you need to use the syslog() source driver to tell syslog-ng to expect the rfc5424 format and parse it properly.
<br>
<br>----- Original message -----
<br>> I have successfully written parsers for unstructured logs, but would
<br>> like to be able to leverage SDATA. Based on what I have researched so
<br>> far, I have built the following skeleton conf file for writing to mongodb
<br>>
<br>> #####Filter#####
<br>> filter f_session_close {message("RT_FLOW_SESSION_CLOSE");};
<br>>
<br>> #####Destinations#####
<br>>
<br>> destination d_mongodb_close {
<br>> mongodb(
<br>> collection("close")
<br>> value-pairs(
<br>> scope(rfc5424 sdata)
<br>> )
<br>> );
<br>> };
<br>>
<br>> #####Log#####
<br>> log {
<br>> source(s_network);
<br>> filter(f_session_close);
<br>> destination(d_mongodb_close);
<br>> };
<br>>
<br>> With this in mind, I get the following logs with only the rfc5424 scope:
<br>>
<br>> "DATE" : "Oct  5 20:40:21",
<br>> "FACILITY" : "user",
<br>> "HOST" : "192.168.199.2",
<br>> "MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW -
<br>> RT_FLOW_SESSION_CREATE [<a href="mailto:junos@2636.1.1.1.2.36">junos@2636.1.1.1.2.36</a>
<br>> source-address=\"192.168.199.207\" source-port=\"55625\"
<br>> destination-address=\"130.57.4.24\" destination-port=\"80\"
<br>> service-name=\"junos-http\" nat-source-address=\"50.193.12.149\"
<br>> nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\"
<br>> nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\"
<br>> dst-nat-rule-name=\"None\" protocol-id=\"6\"
<br>> policy-name=\"trust-to-untrust\" source-zone-name=\"trust\"
<br>> destination-zone-name=\"untrust\" session-id-32=\"61189\"
<br>> username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]",
<br>> "PRIORITY" : "info", "PROGRAM" : "1", "_id" :
<br>> ObjectId("506fa825817f52de65000001")
<br>>
<br>> When using the SDATA scope, I only get an object id. None of the
<br>> structured data is ever parsed.
<br>>
<br>> Is there something special I need to do to parse the structured portion
<br>> of the messge?
<br>>
<br>> Chris
<br>> ______________________________________________________________________________
<br>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
<br>> Documentation:
<br>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a> FAQ:
<br>> <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
<br>>
<br><br></p>
</body>
</html>