<div dir="ltr">Hi,<div><br></div><div>a more specific example that I've created (just a POC):</div><div><br></div><div><div>@version: 3.7</div><div>@include "scl.conf"</div><div><br></div><div>#PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"</div><div>python {</div><div>import socket</div><div>import json</div><div>def aws_elb_proxy_protocol2json(logmsg, arg):</div><div> out = {}</div><div> token_separator = ' '</div><div> tokens = arg.split(token_separator)</div><div> if not tokens or len(tokens) < 6:</div><div> return json.dumps({"aws_elb_proxy_protocol2json.error": "split failure", "message": arg})</div><div><br></div><div> out["proxy"] = tokens[0]</div><div> out["inet_protocol"] = tokens[1]</div><div> out["client_ip"] = tokens[2]</div><div> out["proxy_ip"] = tokens[3]</div><div> out["client_port"] = tokens[4]</div><div> out["proxy_port"] = tokens[5]</div><div><br></div><div> return json.dumps(out)</div><div>};</div><div><br></div><div>block parser aws_elb2json (</div><div> template("${MSG}")</div><div> rec-sep(' ')</div><div> field-sep(' ')</div><div>) {</div><div> json-parser(template("$(python aws_elb_proxy_protocol2json `template`)"));</div><div>};</div><div> </div><div>source s_aws_elb {</div><div> file("/tmp/aws-elb.log" flags(no-parse));</div><div>};</div><div> </div><div>destination d_client_port_odd_json {</div><div> file("/tmp/aws_elb_client_port_odd_json.log" template("$(format-json -s nv-pairs)\n"));</div><div>};</div><div><br></div><div>destination d_client_port_even {</div><div> #file("/tmp/aws_elb_client_port_even.log" template("$(format-json -s nv-pairs)\n"));</div><div> file("/tmp/aws_elb_client_port_even.log");</div><div>};</div><div> </div><div>filter f_client_port_odd { match("\d*[13579]$" value("client_port")); };</div><div>filter f_client_port_even { match("\d*[02468]$" value("client_port")); };</div><div><br></div><div>log {</div><div> source(s_aws_elb);</div><div> parser { aws_elb2json(); };</div><div><br></div><div> filter(f_client_port_odd);</div><div> destination(d_client_port_odd_json);</div><div>};</div><div><br></div><div>log {</div><div> source(s_aws_elb);</div><div> parser { aws_elb2json(); };</div><div><br></div><div> filter(f_client_port_even);</div><div> destination(d_client_port_even);</div><div>};</div></div><div><br></div><div><br></div><div>regards,</div><div>L.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 15, 2015 at 7:28 PM, Nadine Miller <span dir="ltr"><<a href="mailto:nadine.miller@defpoint.com" target="_blank">nadine.miller@defpoint.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've searched through the archives and spent some time trying to find<br>
possible answers on the web, but haven't found a definitive answer.<br>
<br>
I'm in a situation where I need to parse syslog streams being<br>
forwarded through an AWS ELB. The normal configuration of the ELB<br>
resets the source IP to be the ELB's IP address. Logs are coming from<br>
multiple AWS VPCs, and we've already discovered duplicate hostnames<br>
across different VPCs, which has mingled logs from different hosts<br>
into one receiving log file.<br>
<br>
The ELB has another mode, referred to as "Proxy Protocol" which adds a<br>
single line to the TCP stream in the form:<br>
<br>
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP<br>
+ single space + PROXY_IP + single space + CLIENT_PORT + single space<br>
+ PROXY_PORT + "\r\n"<br>
<br>
Example:<br>
<br>
PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n<br>
<br>
Is it possible to use this proxy line in syslog-ng to properly<br>
segregate the log messages? If so, what would be the best method to<br>
use? I've done a lot of filtering/templating with normal UDP syslog<br>
and syslog-ng, but this is the first time I've had to consider<br>
something crazy like this.<br>
<br>
Currently there is no option at this time to change configurations at<br>
endpoints sending the syslog messages, nor can we remove the ELB.<br>
<br>
For reference:<br>
<a href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html" rel="noreferrer" target="_blank">http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html</a><br>
<br>
Thanks in advance--<br>
=N=<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>