The timestamp is probably best formatted using $ISODATE. On May 31, 2017 10:16 AM, "Francesco Rolando" <ogekuri@gmail.com> wrote:
Hi all, I'm working with Sawmill log collector that it's able to import the Syslog-NG logs.
I have to export logs with a specific template() to have them corretly imported into Sawmill.
Here the regular expression used to match syslog-ng lines inside the Sawmill parser (that seem coded by "BalaBit IT Security"): '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[ 0-9][0-9]:[0-9][0-9])[-+][0-9][0-9]:*[0-9][0-9] ([^ ]+) ([^ ]+) ([^ ]+) (.*)$' where matches are imported as: 1- date 2- time 3- logging_device 4- syslog_message_type 5- syslog_priority 6- v.syslog_message
I have partially re-create the template() string but I still have a couple of doubts: template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC}+??:?? ${SOURCEIP} ${PROGRAM} ${PRIORITY} ${MSG}\n")
Make sense $PROGRAM as "message type"? And do you have any ideas for the question marks?
Any help is appreciated. Thank you.
-- Saluti, Francesco.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq