<p dir="ltr"><br>
The way I would do this is to put all conforming fields under the .cim namespace, and then forward it to splunk using</p>
<p dir="ltr">$(format-welf --subkeys .cim)</p>
<p dir="ltr">This would remove the .cim prefix when forwarding. Other name value pairs are not included by default. But you can always have everything using:</p>
<p dir="ltr">$(format-welf *)</p>
<p dir="ltr">Cheers,<br>
Bazsi</p>
<p dir="ltr">Bazsi</p>
<div class="gmail_quote">On Jun 13, 2016 6:31 PM, "Evan Rempel" <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Thanks, I just wanted to see your
reasoning behind your decision. <br>
<br>
Does anyone know of any patternDB parsing that was intended to
conform to the Splunk CIM that I could take a look at. I'm just
trying to shorten the learning curve.<br>
<br>
Evan.<br>
<br>
On 06/12/2016 02:44 AM, Scheidler, Balázs wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">Well, CEE is pretty much dead, and I didn't see too
much activity wrt lumberjack either.</p>
<p dir="ltr">I would rather see consolidation instead of further
fragmentation in this area.</p>
<p dir="ltr">Cheers<br>
Bazsi </p>
<div style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>You are the last person I thought would point me toward
the splunk CIM. Given the support that Balabit has put
behind CEE and then lumberjack and even the experimental
patternDB schema (<a href="https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt" target="_blank">https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt</a>)
I was sure you would steer me toward lumberjack.<br>
<br>
At first glance the splunk CIM appears to be structured
around and partially dependant on some of the data flows of
the splunk product. I'll continue to review it but at this
point I am still open to alternate suggestions.<br>
<br>
Evan.<br>
<br>
On 06/11/2016 11:45 AM, Scheidler, Balázs wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">There's common information model at splunk or
the field dictionary of CEF, of arcsight fame.</p>
<p dir="ltr">I would probably use the splunk one, except if
you plan to use arcsight at the end.</p>
<div class="gmail_quote">On Jun 11, 2016 18:32, "Evan
Rempel" <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There
was a project by Mitre (<a href="https://www.mitre.org/" rel="noreferrer" target="_blank">https://www.mitre.org/</a>) called the
Common<br>
Event Expression (<a href="https://cee.mitre.org/" rel="noreferrer" target="_blank">https://cee.mitre.org/</a>) that was
going to be the<br>
official standard for metadata names for events, but
that project has<br>
been stopped.<br>
<br>
Other than the two references that the CEE project has
for logging<br>
standardization efforts, does anyone know of any major
efforts by any<br>
group to define a standard for metadata naming?<br>
<br>
Evan.</blockquote>
</div>
</blockquote>
<br>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<p><br>
</p>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator 250.721.7691
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>