[syslog-ng] change msg text before db inserting

Martin Holste mcholste at gmail.com
Tue Jun 30 01:00:38 CEST 2009 

Here are a couple of db-parser patterns I've been using for FWSM's:

<program name='FWSM'>
        <pattern>%FWSM</pattern>
        <rule id='2' class='2'>
                <pattern>Deny at QSTRING:FIREWALL.proto:
@src at QSTRING:FIREWALL.o_int:
:@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport:@
dst at QSTRING:FIREWALL.i_int:
:@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport:@ by access-group
@QSTRING:FIREWALL.access_group:"@</pattern>
        </rule>
        <rule id='3' class='3'>
                <pattern>Teardown at QSTRING:FIREWALL.proto: @connection
@NUMBER::@ for at QSTRING:FIREWALL.o_int:
:@@IPv4:FIREWALL.srcip:@/@NUMBER:FIREWALL.srcport@
to at QSTRING:FIREWALL.i_int:
:@@IPv4:FIREWALL.dstip:@/@NUMBER:FIREWALL.dstport@
duration at QSTRING:FIREWALL.conn_duration: @bytes
@NUMBER:FIREWALL.conn_bytes:@</pattern>
        </rule>
</program>

These are using the 3.0.1 syntax, I haven't updated to use the 3.1
syntax.  Rule 2 is for FWSM denies, rule 3 is for FWSM connection
teardowns.

Hope that helps.

--Martin

On Fri, Jun 26, 2009 at 3:24 AM, Balazs Scheidler<bazsi at balabit.hu> wrote:
> On Fri, 2009-06-26 at 10:14 +0200, Henk van Lingen wrote:
>> Hi,
>>
>> Is is possible to change the message  text before it is inserted
>> into a database?
>>
>> I have syslog-ng-3.0.2 running and it does insert the messages directly
>> into a PostgreSQL database, using the new sql(type(pgsql) destination
>> feature.
>>
>> The problem is I have lots of cisco firewall loggings, and in the database
>> I have of gin index for doing full text searching. For this index,
>> the database decomposes the message into tokens. I want to be able to
>> search on IP-numbers. However, in lines like
>>
>> world/123.456.192.46(0) -> some-fwsm/123.456.221.121(0)
>>
>> this won't work because the tokens are world/123.456.192.46 and
>> /123.456.192.46, not 123.456.192.46.
>>
>> To solve the prob it would be nice if there is a way to replace the slashes
>> with spaces before the message goes to the database.
>
> You could perhaps be interested in the new db-parser() feature, see the
> related blog posts about that.
>
> To simply replace '/' with ' '  is quite easy:
>
> rewrite r_replace_slashes { subst(' ', '/' flags(global)); };
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

More information about the syslog-ng mailing list