<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Hanes you looked at using patterndb? That should let you assign the specific parts of the message to variables you choose and then use them as you like.</div><div>It should be possible to do it with json parser but I have not used it personally. </div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757" dir="auto">Sent from my Verizon, Samsung Galaxy smartphone</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: "Fekete, RĂ³bert" <robert.fekete@balabit.com> </div><div>Date: 7/3/16 1:26 PM (GMT-05:00) </div><div>To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> </div><div>Subject: Re: [syslog-ng] extracting jSON from $MESSAGE </div><div><br></div></div><div dir="ltr"><div><div><div><div><div><div><div><div>Hi Jorge, <br><br></div>This seems to be a bit tricky message. If I see it correctly, after the syslog header, you have: <br><br> * some additional info that ends with [captcha] (is that literally [captcha], or it changes with every message?)<br></div> * then you have some JSON<br> * "while logging request," string<br></div> * and finally some key:value pairs.<br><br></div>As a first try, I would use the csv-parser() to separate the message to the four blocks I listed above. Use syslog-ng OSE 3.7, because then you can use strings as delimiters (see <a href="https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-parsers-csv.html#csv-parser-delimiter">https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-parsers-csv.html#csv-parser-delimiter</a>). For example, you can use the ] character and the "while logging request," string as delimiters. <br></div>Then you can run the json-parser on the macro containing the JSON-part of the message, and a kv-parser with the : delimiter to parse the last block if needed. (Note that for kv-parser part you need a recent development version of syslog-ng).<br><br></div><div>Make sure to use the prefix() option in the json-parser, because as I see the key:value block seems to have some of the same keys that the json block.<br></div><div><br></div>BTW, is this a publicly available application that emits such a log message? It seems ideal to showcase the wide range of available syslog-ng parsers :)<br><br></div>Regards, <br></div>Robert<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 3, 2016 at 3:32 PM, Jorge Pereira <span dir="ltr"><<a href="mailto:jpereiran@gmail.com" target="_blank">jpereiran@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><br> I am not sure about the best approach and way to fix my problem, below more information.<br><br>1) I receive the below packet sent from a nginx/openresty instance.<br><br>2016/07/02 01:17:04 [emerg] 19081#0: *13163 [lua] init.lua:115: [captcha] {"fail_count":"","response_code":200,"client_ip":"192.168.1.22","hostname":"server-lab01","request_id":"2016-07-02T01:17:03Z|9175f93c0c||i0Xb3BuBWV","host":"<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>","http_request":{"verb":"GET","url":"\/","user-agent":"Mozilla\/5.0 (pc-x86_64-linux-gnu) Siege\/3.0.8","http_version":"1.1","all":"{\"host\":\"<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>\",\"x-country-code\":\"US\",\"connection\":\"close\",\"accept\":\"*\\\/*\",\"x-client-ip\":\"192.168.1.22\",\"user-agent\":\"Mozilla\\\/5.0 (pc-x86_64-linux-gnu) Siege\\\/3.0.8\",\"accept-encoding\":\"gzip\"}"},"geoip":{"location":"-90.5334,38.6500","city_name":"Chesterfield","country_name":"United States","longitude":-90.5334,"area_code":314,"latitude":38.65,"country_code2":"US","country_code3":"USA"},"got":"","action":"show","expected":"h1szmM","webapp_domain":"<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>"} while logging request, client: 192.168.1.22, server: <a href="http://www.mytest.com" target="_blank">www.mytest.com</a>, request: "GET / HTTP/1.1", host: "<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>"<br><br>2) In my server side, I need to save the logs following a value of <i>host: "<a href="http://www.mytest.com" target="_blank">www.mytest.com</a>"</i> like:<div><br></div><div>/var/log/syslog-ng/www.mytest.com.log</div><div><br></div><div>3) The problem is because the packet received has a part being a jSON, but I can't use the <i>json-parser().</i></div><div><i><br></i></div><div>4) What is the best approach? I have used:</div><div><br></div><div><div># Extracting only the jSON payload</div><div>rewrite p_nginx_wb_error_log_clean {</div><div> subst(".*captcha] ", "", value("MESSAGE"), flags("global"));</div><div> subst(" while logging request.*$", "", value("MESSAGE"), flags("global"));</div><div>};</div><div><br></div><div>parser p_nginx_wb_error_log_json {</div><div> json-parser(</div><div> marker("")</div><div> prefix("j.")</div><div> ); </div><div>};</div><div><br></div><div>destination d_nginx_wb_error_log {</div><div> file("/var/log/syslog-ng/nginx/${j.webapp_domain:-unknow-payload}_error.log" </div><div> create_dirs(yes)</div><div> owner("root")</div><div> group("root")</div><div> perm(0644)</div><div> dir_perm(0755)</div><div> template("${MSG}\n")</div><div> ); </div><div>};</div><div><br></div>--<br>Jorge Pereira</div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
</body></html>