<div dir="ltr"><div><div>Hi,<br><br></div>Sorry I was distracted, here's a block definition for this format that you can simply use as a parser:<br><br><span style="font-family:monospace,monospace">block parser aws-proxy-protocol-header() {<br> csv-parser(delimiters(" ")<br> columns(".aws.proxy", ".aws.inet_protocol", ".aws.client_ip", ".aws.proxy_ip", ".aws.client_port", ".aws.proxy_port"));<br>};<br></span><br></div><div>Just put it somewhere in your configuration file, or into a separate file and include it.<br></div><div><br></div>This is how I tested it.<br><br><br><span style="font-family:monospace,monospace">@version: 3.7<br><br>block parser aws-proxy-protocol-header() {<br> csv-parser(delimiters(" ")<br> columns(".aws.proxy", ".aws.inet_protocol", ".aws.client_ip", ".aws.proxy_ip", ".aws.client_port", ".aws.proxy_port"));<br>};<br><br>log {<br> source { file("aws-sample.log" flags(no-parse)); };<br> parser { aws-proxy-protocol-header(); };<br> destination { file("/dev/stdout" template("$(format-json .aws.*)\n")); };<br>};</span><br><br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Thu, Oct 15, 2015 at 7:28 PM, Nadine Miller <span dir="ltr"><<a href="mailto:nadine.miller@defpoint.com" target="_blank">nadine.miller@defpoint.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've searched through the archives and spent some time trying to find<br>
possible answers on the web, but haven't found a definitive answer.<br>
<br>
I'm in a situation where I need to parse syslog streams being<br>
forwarded through an AWS ELB. The normal configuration of the ELB<br>
resets the source IP to be the ELB's IP address. Logs are coming from<br>
multiple AWS VPCs, and we've already discovered duplicate hostnames<br>
across different VPCs, which has mingled logs from different hosts<br>
into one receiving log file.<br>
<br>
The ELB has another mode, referred to as "Proxy Protocol" which adds a<br>
single line to the TCP stream in the form:<br>
<br>
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP<br>
+ single space + PROXY_IP + single space + CLIENT_PORT + single space<br>
+ PROXY_PORT + "\r\n"<br>
<br>
Example:<br>
<br>
PROXY TCP4 198.51.100.22 203.0.113.<a href="tel:7%2035646%2080" value="+3673564680">7 35646 80</a>\r\n<br>
<br>
Is it possible to use this proxy line in syslog-ng to properly<br>
segregate the log messages? If so, what would be the best method to<br>
use? I've done a lot of filtering/templating with normal UDP syslog<br>
and syslog-ng, but this is the first time I've had to consider<br>
something crazy like this.<br>
<br>
Currently there is no option at this time to change configurations at<br>
endpoints sending the syslog messages, nor can we remove the ELB.<br>
<br>
For reference:<br>
<a href="http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html" rel="noreferrer" target="_blank">http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-proxy-protocol.html</a><br>
<br>
Thanks in advance--<br>
=N=<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br></div>