<div dir="auto"><div>Hi,</div><div dir="auto"><br></div><div dir="auto">There's a Palo alto parser in the SCL that I wrote a few years back:</div><div dir="auto"><br></div><div dir="auto"><a href="https://github.com/axoflow/axosyslog/blob/main/scl/paloalto/panos.conf">https://github.com/axoflow/axosyslog/blob/main/scl/paloalto/panos.conf</a></div><div dir="auto"><br></div><div dir="auto">That parser can be used to extract the Palo fields as name value pairs.</div><div dir="auto"><br></div><div dir="auto">That parser can be used to extract the .panos.device_name field, which you can then embed in your filename template as ${.panos.device_name}</div><div dir="auto"><br></div><div dir="auto">To use the panos-parser() you need to include scl.conf in your main config but you probably have that already.</div><div dir="auto"><br></div><div dir="auto">Let me know if it doesn't work out.</div><div dir="auto"><br></div><div dir="auto">-- </div><div dir="auto">Bazsi</div><div dir="auto"><a href="https://discord.gg/NNUJUmC36j">https://discord.gg/NNUJUmC36j</a><br></div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Jun 28, 2024, 19:08 John Norton <<a href="mailto:nortonjco@gmail.com">nortonjco@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p class="MsoNormal"><span style="font-size:11pt">Hi All,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I have a panorama system that sends logs from several devices (dvc_name). What I want to do is have it write to files based on the dvc_name. The dvc_name is in the following message as "ip-10-37-12-142". These are not static as they are spun up as needed and the dvc_name may change.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">Can you help me figure out how to create a parser or filter to take the following message, where it will read in the dvc_name "ip-10-37-12-142" and write logs that include that dvc_name to a separate file (and other dvc_names it sees in messages to their own file?:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11pt">Jun 27 19:08:15 <a href="http://terl-panorama-01.times.com/" target="_blank" rel="noreferrer">TERL-PANORAMA-01.times.com</a> 1,2024/06/27 15:08:14,005655000463255,SYSTEM,dhcp,2817,2024/06/27 15:08:09,,if-renew-trigger,,0,0,general,informational,"DHCP RENEW: interface eth0, ip 10.37.12.142 netmask 255.255.255.224 dhcp server: 10.37.12.129",7383625404611793457,0x8000000000000000,0,0,0,0,,ip-10-37-12-142,0,0,2024-06-27T15:08:09.224-04:00<u></u><u></u></span></b></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I've tried a few different things but can't figure out how to do it dynamically. This rewrite worked, but it requires a static entry which won't scale and all potential dvc_names cannot be known:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">rewrite r_panorama { set("ip-10-37-12-142", value("HOST") condition(message(".*ip-10-37-12-142"))); };<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I've also tried creating a filter, but it doesn't actually store what the match finds in a macro that I can replace something like $HOST with.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">filter f_panorama { match("ip-\d+-\d+-\d+-\d+" value("MESSAGE")); };<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I was also thinking that I could do something with the csv parser, but it didn't work like I was expecting, but am thinking a parser might work if I could get it right (I think partially it doesn't work because it is a syslog message and the first part of the message interferes with the csv parsing, not sure):<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">parser p_panorama {<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> csv-parser(<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> columns("future_use1","receive_time","serial_number","log_type","log_subtype","version","generated_time","vsys","event_id","object","future_use3","future_use4","module","severity","description","sequence_number","action_flags","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name")<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> delimiters(",")<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> quote-pairs('""[]')<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> );<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">};<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">destination d_panorama {file("`mypath`/panorama/$dvc_name/$dvc_name.log"); };<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">log { source(s_panother); parser(p_panorama); destination(d_panorama); };<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">Is this something someone could help me with?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">Thank you,</span></p><p class="MsoNormal"><span style="font-size:11pt">John</span></p></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div></div>