Hi,
is it possible to scan each syslog message for system-notification*(traffic) once this matches, to insert the values !splitted!
What's the meaning of "values splitted"? Could you give me an example, please?
into a database with the the following fields:
device_id start_time duration policy_id service ip_proto src_zone dst_zone action sent rcvd src_ip dst_ip src_port dst_port src_xlated_ip dst_xlated_ip port session_id
the whole message looks like this:
Oct 3 15:35:32 172.10.0.10 NS50: NetScreen device_id=NS50 [No Name]system-notification-00257(traffic): start_time="2005-10-03 15:01:37" duration=21 policy_id=1 service=https proto=6 src zone=Trust dst zone=Untrust action=Permit sent=2454 rcvd=1601 src=172.18.12.10 dst=172.17.10.24 src_port=1458 dst_port=443 src-xlated ip=172.18.12.113 port=1458 session_id=63649
i was able to filter certain messages, but never to split up the real "message field".
Well, you can filter the stuff using a match() statement. Then the only option I see is to use the program() statement and have an external tool or filter handle the input. Something along the lines of (untested and not exactly with a proper SQL statement, but you get the idea): | sed 's/\(.*\)device_id=\(.*\) \(.*\)start_time=\(.*\)$/\device_id=\2 start_time=\4/' | tr ' ' '\n' | while IFS="=" read key val; do echo "key=$key:val=$val"; done The `` echo "key=$key:val=$val" '' part has of course to be translated into proper SQL parlance.
Any help with examples would be great im using syslog-ng 1.6.8
HTH, Roberto Nibali, ratz -- echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc