challenges with SDATA
I have successfully written parsers for unstructured logs, but would like to be able to leverage SDATA. Based on what I have researched so far, I have built the following skeleton conf file for writing to mongodb #####Filter##### filter f_session_close {message("RT_FLOW_SESSION_CLOSE");}; #####Destinations##### destination d_mongodb_close { mongodb( collection("close") value-pairs( scope(rfc5424 sdata) ) ); }; #####Log##### log { source(s_network); filter(f_session_close); destination(d_mongodb_close); }; With this in mind, I get the following logs with only the rfc5424 scope: "DATE" : "Oct 5 20:40:21", "FACILITY" : "user", "HOST" : "192.168.199.2", "MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address=\"192.168.199.207\" source-port=\"55625\" destination-address=\"130.57.4.24\" destination-port=\"80\" service-name=\"junos-http\" nat-source-address=\"50.193.12.149\" nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\" nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"trust-to-untrust\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"61189\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]", "PRIORITY" : "info", "PROGRAM" : "1", "_id" : ObjectId("506fa825817f52de65000001") When using the SDATA scope, I only get an object id. None of the structured data is ever parsed. Is there something special I need to do to parse the structured portion of the messge? Chris
hi, It seems you are receiving those messages via no-parse flag, or something like udp() source driver. you need to use the syslog() source driver to tell syslog-ng to expect the rfc5424 format and parse it properly. ----- Original message -----
I have successfully written parsers for unstructured logs, but would like to be able to leverage SDATA. Based on what I have researched so far, I have built the following skeleton conf file for writing to mongodb
#####Filter##### filter f_session_close {message("RT_FLOW_SESSION_CLOSE");};
#####Destinations#####
destination d_mongodb_close { mongodb( collection("close") value-pairs( scope(rfc5424 sdata) ) ); };
#####Log##### log { source(s_network); filter(f_session_close); destination(d_mongodb_close); };
With this in mind, I get the following logs with only the rfc5424 scope:
"DATE" : "Oct 5 20:40:21", "FACILITY" : "user", "HOST" : "192.168.199.2", "MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address=\"192.168.199.207\" source-port=\"55625\" destination-address=\"130.57.4.24\" destination-port=\"80\" service-name=\"junos-http\" nat-source-address=\"50.193.12.149\" nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\" nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"trust-to-untrust\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"61189\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]", "PRIORITY" : "info", "PROGRAM" : "1", "_id" : ObjectId("506fa825817f52de65000001")
When using the SDATA scope, I only get an object id. None of the structured data is ever parsed.
Is there something special I need to do to parse the structured portion of the messge?
Chris ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Balazs Scheidler
-
Chris Johnson