<div dir="ltr">Another option where you can assign name-value pairs yourself:<div><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">Have you looked at patterndb ? Here are a couple snippets that are working well for me:</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">parser p_proxy {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  db-parser(file("/usr/local/etc/patterndb.d/proxy.xml"));</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">destination d_redis {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  redis (</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">    host("localhost")</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">    command("LPUSH", "logstash", "$(format-json type=proxyproxy_time=${PROXY.TIME} proxy_time_taken=${PROXY.TIME_TAKEN} proxy_c_ip=${PROXY.C_IP} proxy_sc_status=${PROXY.SC_STATUS} proxy_s_action=${PROXY.S_ACTION} proxy_sc_bytes=int64(${PROXY.SC_BYTES}) proxy_cs_bytes=int64(${PROXY.CS_BYTES}) proxy_cs_method=${PROXY.CS_METHOD} proxy_cs_uri_scheme=${PROXY.CS_URI_SCHEME} proxy_cs_host=${PROXY.CS_HOST} proxy_cs_uri_port=${PROXY.CS_URI_PORT} proxy_cs_uri_path=${PROXY.CS_URI_PATH} proxy_cs_uri_equery=${PROXY.CS_URI_EQUERY}  proxy_cs_username=${PROXY.CS_USERNAME} proxy_cs_auth_group=${PROXY.CS_AUTH__GROUP} proxy_s_supplier_name=${PROXY.S_SUPPLIER_NAME} proxy_content_type=${PROXY.CONTENT_TYPE} proxy_referrer=${PROXY.REFERRER} proxy_user_agent=${PROXY.USER_AGENT} proxy_filter_result=${PROXY.FILTER_RESULT} proxy_cs_categories=${PROXY.CS_CATEGORIES} proxy_x_virus_id=${PROXY.X_VIRUS_ID} proxy_s_ip=${PROXY.S_IP} proxy_any=${PROXY.ANYREST})\n")</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  );</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">log {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  source(s_network);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  parser(p_proxy);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">  destination(d_redis);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">Hope this helps.</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)"><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)">Jim</span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 25, 2016 at 9:27 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I would embed json formatted strings as redis list elements.<div dir="auto"><br></div><div dir="auto">You can format that using $(format-json)</div><div dir="auto"><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Dec 24, 2016 1:17 AM,  <<a href="mailto:johnsc301@gmail.com" target="_blank">johnsc301@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="#954F72"><div class="m_8306541047392649847m_8791402634874240079WordSection1"><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">I am trying to send information from Syslog-ng to Redis. In /etc/syslog-ng/syslog-ng.conf I added this: destination d_redis { redis( host("127.0.0.1") port(6379) command("RPUSH", "sensor_name", "${sensor_name}")); };<u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222"><u></u> <u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">I am trying to create a list of variables, hopefully one being timestamp. Here is an example of my syslog that I am trying to pull:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="http://pastebin.com/Hx5vW4VA" target="_blank"><span style="color:#0079d3;text-decoration:none">http://pastebin.com/Hx5v<wbr>W4VA</span></a><u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">Here's is syslog-ng.conf, for reference:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="http://pastebin.com/2VQFBNmK" target="_blank"><span style="color:#0079d3;text-decoration:none">http://pastebin.com<wbr>/2VQFBNmK</span></a><u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">Those are logs being sent from Snort to Syslog-ng through Snort. I want to connect to Redis.<u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">I saw that the command parameters are: comma-separated list of strings ("<redis-command>", "<first-command-parameter>", "<second-command-parameter>", "<third-command-parameter>") from:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-destination-redis.html" target="_blank"><span style="color:#0079d3;text-decoration:none">https://www.balabit.com/<wbr>documents/syslog-ng-ose-latest<wbr>-guides/en/syslog-ng-ose-<wbr>guide-admin/html/reference-<wbr>destination-redis.html</span></a><u></u><u></u></span></p><p class="MsoNormal"><span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span>I'm assuming I'd say RPUSH <something>... However, I am unsure of how to find the correct parameters.<u></u><u></u></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">Specifically, for now, I want to create a list (RPUSH) of timestamps, IP addresses (to and from), and event type (ICMP, for example).<u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">I did find this list of parameters:<u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222"><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/syslog-ng-parameter-index.html" target="_blank">https://www.balabit.com/docume<wbr>nts/syslog-ng-ose-latest-<wbr>guides/en/syslog-ng-ose-guide-<wbr>admin/html/syslog-ng-<wbr>parameter-index.html</a><u></u><u></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222">A good first try, I'd like to make a list of timestamps. How can I set the d_redis(command()) within syslog-ng.conf to do this?<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">Mail</a> for Windows 10</p><p class="MsoNormal"><u></u> <u></u></p></div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>