Hi list, I can be more specific. I have in a DMZ proxies, routers and firewalls. Theses report into a syslog server in the DMZ. I want to have the messages in one central place so I send them to my central syslog server with a MYSQL DB. There they arrive but they look like following example. a.a.a.a = Where it comes from originally (at least what I think ;-)) b.b.b.b = NAME of the syslog server A router message | a.a.a.a | syslog5 | info | info | ae | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b : [ID 72119 syslog5.info] 04:21:36 drop rgw2

eth0 reason: ACL: Ingress filter dropped packet ; src: a.b.c.d; s_port: 933; dst: f.g.h.i; d_port: 514; | 1015510 |

A firewall message | c.c.c.c | syslog5 | info | info | ae | 2003-05-06 | 04:21:38 | b.b.b.b | b.b.b.b: [ID 72119 syslog5.info] 04:21:37 drop fwgw >eth1 product: SmartDefense; TCP sequence validator: dropped packet with invalid ACK number; attack: Bad TCP sequence; src: i.j.k.l; s_port: 80; dst: m.n.o.p; service: shell; proto: tcp; | 1015511 | So I would like to have the machine name as rgw2 or fwgw on the hosts or facility's place. Maybe the word 'drop' as level so I can create an index for fast search. Ideal would be, if I could do a search in the $MSG and then filter the entry and putting parts of the $MSG into different variabls e.g. $HOST etc. I guess this could already be done with a regexp search in the $MSG field then assigning the different variables. But I guess I have to hardcode all cases and I'd just like to take something like $MSG.$1, $MSG.$2 etc. This allowed me to do some kind of "message normalisation". Maybe that's impossible for some reasons (speed). Regards, Michael -----Original Message----- From: Balazs Scheidler [mailto:bazsi@balabit.hu] Sent: Montag, 5. Mai 2003 14:39 To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Sorting data from msg field into correct columns? On Mon, May 05, 2003 at 10:55:07AM +0200, Michael.Semling@swisscom.com wrote:

Hi all!

As I have now added hardware to report into a central syslog but I have to uses a relay. (Another SYSLOG-NG) Now I get messages containing

Host: IP/Name of the relay Facility, Priority, Level, tag, date, time and program is just all info from the relay.

In the msg I have all the data as the original host, time, msg. etc.

Is there any way to "grep/sed/awk" the data out of the msg field and sort them into the right columns?

Is there an example for such a filter?

Can you be more specific, can you perhaps provide examples (what you would expect and what happens in reality) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html