Awesome, thanks!<div>I'll dig into the patterndb as this would have to be in production at some point :-)</div><div><br></div><div><br></div><div class="gmail_extra"><br clear="all">______________________________________________________________ <br>
<br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Wed, Nov 14, 2012 at 8:50 AM, Gergely Nagy <span dir="ltr"><<a href="mailto:algernon@balabit.hu" target="_blank">algernon@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Clayton Dukes <<a href="mailto:cdukes@gmail.com">cdukes@gmail.com</a>> writes:<br>
<br>
> Thanks Gergely,<br>
> I was trying to replace myhostname with the IP (removing the "Original<br>
> Host=$IP"<br>
> part of the message would be optional).<br>
> I thought it would have to be done using something like patterndb, but<br>
> wasn't sure.<br>
<br>
</div>A quick & dirty solution is to abuse the CSV parser, twice (do note that<br>
I haven't tested it):<br>
<br>
parser p_split_at_doublecolon {<br>
csv-parser(columns("csv.orig_host", "csv.message"), flags(greedy));<br>
};<br>
<br>
parser p_split_at_equal {<br>
csv-parser(columns("csv.dummy", "csv.ip"), template("${csv.orig_host}"));<br>
};<br>
<br>
rewrite r_reassemble {<br>
set(":${csv.message}", value("MESSAGE"));<br>
set("${cvs.ip}", value("HOST"));<br>
};<br>
<br>
log {<br>
source(s_yoursource);<br>
parser(p_split_at_doublecolon);<br>
parser(p_split_at_equal);<br>
rewrite(r_reassemble);<br>
destination(d_yourdestination);<br>
};<br>
<br>
What this does, is split the original message into two parts: one before<br>
the first ":", and the rest after (we need the greedy flag for this, so<br>
that if the message contains more ":" chars, the parser won't split<br>
there, but attach that to csv.message). The first part will be stored in<br>
"csv.orig_host", the other in "csv.message", neither will contain the<br>
":" itself.<br>
<br>
Then, we use a similar trick to break the orig_host part apart:<br>
everything in it after the equal sign is the IP.<br>
<br>
After this two, we have the following things set up:<br>
<br>
csv.orig_host = "Original Host=192.168.6.3"<br>
csv.message = "LOW_THRESHOLD_EVENT - 0 AUTHORIZED sessions"<br>
csv.dummy = "Original Host"<br>
csv.ip = "192.168.6.3"<br>
<br>