<div dir="ltr"><div><div><div><div><div><div><div><div>Hi Jorge, <br><br></div>This seems to be a bit tricky message. If I see it correctly, after the syslog header, you have: <br><br> * some additional info that ends with [captcha] (is that literally [captcha], or it changes with every message?)<br></div> * then you have some JSON<br> * &quot;while logging request,&quot; string<br></div> * and finally some key:value pairs.<br><br></div>As a first try, I would use the csv-parser() to separate the message to the four blocks I listed above. Use syslog-ng OSE 3.7, because then you can use strings as delimiters (see <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-parsers-csv.html#csv-parser-delimiter">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-parsers-csv.html#csv-parser-delimiter</a>). For example, you can use the ] character and the &quot;while logging request,&quot; string as delimiters. <br></div>Then you can run the json-parser on the macro containing the JSON-part of the message, and a kv-parser with the : delimiter to parse the last block if needed. (Note that for kv-parser part you need a recent development version of syslog-ng).<br><br></div><div>Make sure to use the prefix() option in the json-parser, because as I see the key:value block seems to have some of the same keys that the json block.<br></div><div><br></div>BTW, is this a publicly available application that emits such a log message? It seems ideal to showcase the wide range of available syslog-ng parsers :)<br><br></div>Regards, <br></div>Robert<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 3, 2016 at 3:32 PM, Jorge Pereira <span dir="ltr">&lt;<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><br>    I am not sure about the best approach and way to fix my problem, below more information.<br><br>1) I receive the below packet sent from a nginx/openresty instance.<br><br>2016/07/02 01:17:04 [emerg] 19081#0: *13163 [lua] init.lua:115: [captcha] {&quot;fail_count&quot;:&quot;&quot;,&quot;response_code&quot;:200,&quot;client_ip&quot;:&quot;192.168.1.22&quot;,&quot;hostname&quot;:&quot;server-lab01&quot;,&quot;request_id&quot;:&quot;2016-07-02T01:17:03Z|9175f93c0c||i0Xb3BuBWV&quot;,&quot;host&quot;:&quot;<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>&quot;,&quot;http_request&quot;:{&quot;verb&quot;:&quot;GET&quot;,&quot;url&quot;:&quot;\/&quot;,&quot;user-agent&quot;:&quot;Mozilla\/5.0 (pc-x86_64-linux-gnu) Siege\/3.0.8&quot;,&quot;http_version&quot;:&quot;1.1&quot;,&quot;all&quot;:&quot;{\&quot;host\&quot;:\&quot;<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>\&quot;,\&quot;x-country-code\&quot;:\&quot;US\&quot;,\&quot;connection\&quot;:\&quot;close\&quot;,\&quot;accept\&quot;:\&quot;*\\\/*\&quot;,\&quot;x-client-ip\&quot;:\&quot;192.168.1.22\&quot;,\&quot;user-agent\&quot;:\&quot;Mozilla\\\/5.0 (pc-x86_64-linux-gnu) Siege\\\/3.0.8\&quot;,\&quot;accept-encoding\&quot;:\&quot;gzip\&quot;}&quot;},&quot;geoip&quot;:{&quot;location&quot;:&quot;-90.5334,38.6500&quot;,&quot;city_name&quot;:&quot;Chesterfield&quot;,&quot;country_name&quot;:&quot;United States&quot;,&quot;longitude&quot;:-90.5334,&quot;area_code&quot;:314,&quot;latitude&quot;:38.65,&quot;country_code2&quot;:&quot;US&quot;,&quot;country_code3&quot;:&quot;USA&quot;},&quot;got&quot;:&quot;&quot;,&quot;action&quot;:&quot;show&quot;,&quot;expected&quot;:&quot;h1szmM&quot;,&quot;webapp_domain&quot;:&quot;<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>&quot;} while logging request, client: 192.168.1.22, server: <a href="http://www.mytest.com" target="_blank">www.mytest.com</a>, request: &quot;GET / HTTP/1.1&quot;, host: &quot;<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>&quot;<br><br>2) In my server side, I need to save the logs following a value of <i>host: &quot;<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>&quot;</i> like:<div><br></div><div>/var/log/syslog-ng/www.mytest.com.log</div><div><br></div><div>3) The problem is because the packet received has a part being a jSON, but I can&#39;t use the <i>json-parser().</i></div><div><i><br></i></div><div>4) What is the best approach? I have used:</div><div><br></div><div><div># Extracting only the jSON payload</div><div>rewrite p_nginx_wb_error_log_clean {</div><div>    subst(&quot;.*captcha] &quot;, &quot;&quot;, value(&quot;MESSAGE&quot;), flags(&quot;global&quot;));</div><div>    subst(&quot; while logging request.*$&quot;, &quot;&quot;, value(&quot;MESSAGE&quot;), flags(&quot;global&quot;));</div><div>};</div><div><br></div><div>parser p_nginx_wb_error_log_json {</div><div>    json-parser(</div><div>        marker(&quot;&quot;)</div><div>        prefix(&quot;j.&quot;)</div><div>    );  </div><div>};</div><div><br></div><div>destination d_nginx_wb_error_log {</div><div>    file(&quot;/var/log/syslog-ng/nginx/${j.webapp_domain:-unknow-payload}_error.log&quot;                                                                                                                                                               </div><div>         create_dirs(yes)</div><div>         owner(&quot;root&quot;)</div><div>         group(&quot;root&quot;)</div><div>         perm(0644)</div><div>         dir_perm(0755)</div><div>         template(&quot;${MSG}\n&quot;)</div><div>    );  </div><div>};</div><div><br></div>--<br>Jorge Pereira</div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>