<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Would there be a string that specific provides timestamp or date?<br class=""><div><blockquote type="cite" class=""><div class="">On Dec 26, 2016, at 8:44 AM, Jim Hendrick <<a href="mailto:james.r.hendrick@gmail.com" class="">james.r.hendrick@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Another option where you can assign name-value pairs yourself:<div class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">Have you looked at patterndb ? Here are a couple snippets that are working well for me:</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">parser p_proxy {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  db-parser(file("/usr/local/etc/patterndb.d/proxy.xml"));</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">destination d_redis {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  redis (</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">    host("localhost")</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">    command("LPUSH", "logstash", "$(format-json type=proxyproxy_time=${PROXY.TIME} proxy_time_taken=${PROXY.TIME_TAKEN} proxy_c_ip=${PROXY.C_IP} proxy_sc_status=${PROXY.SC_STATUS} proxy_s_action=${PROXY.S_ACTION} proxy_sc_bytes=int64(${PROXY.SC_BYTES}) proxy_cs_bytes=int64(${PROXY.CS_BYTES}) proxy_cs_method=${PROXY.CS_METHOD} proxy_cs_uri_scheme=${PROXY.CS_URI_SCHEME} proxy_cs_host=${PROXY.CS_HOST} proxy_cs_uri_port=${PROXY.CS_URI_PORT} proxy_cs_uri_path=${PROXY.CS_URI_PATH} proxy_cs_uri_equery=${PROXY.CS_URI_EQUERY}  proxy_cs_username=${PROXY.CS_USERNAME} proxy_cs_auth_group=${PROXY.CS_AUTH__GROUP} proxy_s_supplier_name=${PROXY.S_SUPPLIER_NAME} proxy_content_type=${PROXY.CONTENT_TYPE} proxy_referrer=${PROXY.REFERRER} proxy_user_agent=${PROXY.USER_AGENT} proxy_filter_result=${PROXY.FILTER_RESULT} proxy_cs_categories=${PROXY.CS_CATEGORIES} proxy_x_virus_id=${PROXY.X_VIRUS_ID} proxy_s_ip=${PROXY.S_IP} proxy_any=${PROXY.ANYREST})\n")</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  );</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">log {</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  source(s_network);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  parser(p_proxy);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">  destination(d_redis);</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">};</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">Hope this helps.</span><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><br style="box-sizing:border-box;color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class=""><span style="color:rgb(102,102,102);font-family:roboto,"helvetica neue",helvetica,arial,sans-serif;font-size:13px;background-color:rgb(245,248,250)" class="">Jim</span><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Dec 25, 2016 at 9:27 AM, Scheidler, Balázs <span dir="ltr" class=""><<a href="mailto:balazs.scheidler@balabit.com" target="_blank" class="">balazs.scheidler@balabit.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto" class="">I would embed json formatted strings as redis list elements.<div dir="auto" class=""><br class=""></div><div dir="auto" class="">You can format that using $(format-json)</div><div dir="auto" class=""><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Dec 24, 2016 1:17 AM,  <<a href="mailto:johnsc301@gmail.com" target="_blank" class="">johnsc301@gmail.com</a>> wrote:<br type="attribution" class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="#954F72" class=""><div class="m_8306541047392649847m_8791402634874240079WordSection1"><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">I am trying to send information from Syslog-ng to Redis. In /etc/syslog-ng/syslog-ng.conf I added this: destination d_redis { redis( host("127.0.0.1") port(6379) command("RPUSH", "sensor_name", "${sensor_name}")); };<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class=""><u class=""></u> <u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">I am trying to create a list of variables, hopefully one being timestamp. Here is an example of my syslog that I am trying to pull:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="http://pastebin.com/Hx5vW4VA" target="_blank" class=""><span style="color:#0079d3;text-decoration:none" class="">http://pastebin.com/Hx5v<wbr class="">W4VA</span></a><u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">Here's is syslog-ng.conf, for reference:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="http://pastebin.com/2VQFBNmK" target="_blank" class=""><span style="color:#0079d3;text-decoration:none" class="">http://pastebin.com<wbr class="">/2VQFBNmK</span></a><u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">Those are logs being sent from Snort to Syslog-ng through Snort. I want to connect to Redis.<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">I saw that the command parameters are: comma-separated list of strings ("<redis-command>", "<first-command-parameter>", "<second-command-parameter>", "<third-command-parameter>") from:<span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-destination-redis.html" target="_blank" class=""><span style="color:#0079d3;text-decoration:none" class="">https://www.balabit.com/<wbr class="">documents/syslog-ng-ose-latest<wbr class="">-guides/en/syslog-ng-ose-<wbr class="">guide-admin/html/reference-<wbr class="">destination-redis.html</span></a><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span class="m_8306541047392649847m_8791402634874240079apple-converted-space"> </span>I'm assuming I'd say RPUSH <something>... However, I am unsure of how to find the correct parameters.<u class=""></u><u class=""></u></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">Specifically, for now, I want to create a list (RPUSH) of timestamps, IP addresses (to and from), and event type (ICMP, for example).<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">I did find this list of parameters:<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:4.3pt;margin-left:0in;line-height:17.15pt" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class=""><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/syslog-ng-parameter-index.html" target="_blank" class="">https://www.balabit.com/docume<wbr class="">nts/syslog-ng-ose-latest-<wbr class="">guides/en/syslog-ng-ose-guide-<wbr class="">admin/html/syslog-ng-<wbr class="">parameter-index.html</a><u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt;line-height:17.15pt;border-radius:0px!important;font-variant-ligatures:normal;font-variant-caps:normal;text-align:start;word-spacing:0px" class=""><span style="font-size:10.5pt;font-family:"Verdana",sans-serif;color:#222222" class="">A good first try, I'd like to make a list of timestamps. How can I set the d_redis(command()) within syslog-ng.conf to do this?<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p class="MsoNormal">Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986" target="_blank" class="">Mail</a> for Windows 10</p><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div></div><br class="">______________________________<wbr class="">______________________________<wbr class="">__________________<br class="">
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank" class="">https://lists.balabit.hu/mailm<wbr class="">an/listinfo/syslog-ng</a><br class="">
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank" class="">http://www.balabit.com/support<wbr class="">/documentation/?product=<wbr class="">syslog-ng</a><br class="">
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank" class="">http://www.balabit.com/wiki/sy<wbr class="">slog-ng-faq</a><br class="">
<br class="">
<br class=""></blockquote></div></div>
<br class="">______________________________<wbr class="">______________________________<wbr class="">__________________<br class="">
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank" class="">https://lists.balabit.hu/<wbr class="">mailman/listinfo/syslog-ng</a><br class="">
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank" class="">http://www.balabit.com/<wbr class="">support/documentation/?<wbr class="">product=syslog-ng</a><br class="">
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank" class="">http://www.balabit.com/wiki/<wbr class="">syslog-ng-faq</a><br class="">
<br class="">
<br class=""></blockquote></div><br class=""></div>
______________________________________________________________________________<br class="">Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" class="">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br class="">Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" class="">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br class="">FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" class="">http://www.balabit.com/wiki/syslog-ng-faq</a><br class=""><br class=""></div></blockquote></div><br class=""></body></html>