[syslog-ng] message parsing help
Roberto Nibali
ratz at drugphish.ch
Wed Oct 5 23:18:01 CEST 2005
Hi,
> is it possible to scan each syslog message for system-notification*(traffic)
> once this matches, to insert the values !splitted!
What's the meaning of "values splitted"? Could you give me an example,
please?
> into a database with the the following fields:
>
> device_id
> start_time
> duration
> policy_id
> service
> ip_proto
> src_zone
> dst_zone
> action
> sent
> rcvd
> src_ip
> dst_ip
> src_port
> dst_port
> src_xlated_ip
> dst_xlated_ip
> port
> session_id
>
> the whole message looks like this:
>
> Oct 3 15:35:32 172.10.0.10 NS50: NetScreen device_id=NS50 [No
> Name]system-notification-00257(traffic): start_time="2005-10-03 15:01:37"
> duration=21 policy_id=1 service=https proto=6 src zone=Trust dst
> zone=Untrust action=Permit sent=2454 rcvd=1601 src=172.18.12.10
> dst=172.17.10.24 src_port=1458 dst_port=443 src-xlated ip=172.18.12.113
> port=1458 session_id=63649
>
> i was able to filter certain messages, but never to split up the real
> "message field".
Well, you can filter the stuff using a match() statement. Then the only
option I see is to use the program() statement and have an external tool
or filter handle the input. Something along the lines of (untested and
not exactly with a proper SQL statement, but you get the idea):
| sed 's/\(.*\)device_id=\(.*\) \(.*\)start_time=\(.*\)$/\device_id=\2
start_time=\4/' | tr ' ' '\n' | while IFS="=" read key val; do echo
"key=$key:val=$val"; done
The `` echo "key=$key:val=$val" '' part has of course to be translated
into proper SQL parlance.
> Any help with examples would be great im using syslog-ng 1.6.8
HTH,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
More information about the syslog-ng
mailing list