Hi list,

 

 I can be more specific.

 

I have in a DMZ proxies, routers and firewalls. Theses report into a syslog server in the DMZ.

 

I want to have the messages in one central place so I send them to my central syslog server with a MYSQL DB.

 

There they arrive but they look like following example.

a.a.a.a = Where it comes from originally (at least what I think ;-))

b.b.b.b = NAME of the syslog server

 

A router message

| a.a.a.a | syslog5   | info     | info  | ae   | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b : [ID 72119 syslog5.info]  04:21:36 drop   rgw2 >eth0 reason: ACL: Ingress filter dropped packet ;  src: a.b.c.d; s_port: 933; dst: f.g.h.i; d_port: 514;  | 1015510 |

 

A firewall message

| c.c.c.c | syslog5   | info     | info  | ae   | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b: [ID 72119 syslog5.info]  04:21:37 drop   fwgw >eth1 product: SmartDefense; TCP sequence validator: dropped packet with invalid ACK number; attack: Bad TCP sequence; src:  i.j.k.l; s_port: 80; dst: m.n.o.p; service: shell; proto: tcp; | 1015511 |

So I would like to have the machine name as rgw2 or fwgw on the hosts or facility’s place. Maybe the word ‘drop’ as level so I can create an index for fast search.

Ideal would be, if I could do a search in the $MSG and then filter the entry and putting parts of the $MSG into different variabls e.g. $HOST etc.

 

I guess this could already be done with a regexp search in the $MSG field then assigning the different variables. But I guess I have to hardcode all cases and I’d just like to take something like $MSG.$1, $MSG.$2 etc.

 

This allowed me to do some kind of “message normalisation”. Maybe that’s impossible for some reasons (speed).

 

Regards,

 

Michael

 

-----Original Message-----
From: Balazs Scheidler [mailto:bazsi@balabit.hu]
Sent: Montag, 5. Mai 2003 14:39
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]Sorting data from msg field into correct columns?

 

On Mon, May 05, 2003 at 10:55:07AM +0200, Michael.Semling@swisscom.com wrote:
> Hi all!
> 
> As I have now added hardware to report into a central syslog but I have
> to uses a relay. (Another SYSLOG-NG)
> Now  I get messages containing
> 
> Host: IP/Name of the relay
> Facility, Priority, Level, tag, date, time and program is just all info
> from the relay.
> 
> In the msg I have all the data as the original host, time, msg. etc.
> 
> Is there any way to "grep/sed/awk" the data out of the msg field and
> sort them into the right columns?
> 
> Is there an example for such a filter?

Can you be more specific, can you perhaps provide examples (what you would
expect and what happens in reality)

--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html