[syslog-ng] decoding messages from sockd (SOCKS proxy)
Matthew Hall
mhall at mhcomputing.net
Thu Oct 7 23:40:12 CEST 2010
Hello all,
I am running into some headaches with the poor formatting of sockd
messages. How should I decode messages like this?
Note I have not applied XML escapes to these yet as that's hard to read
but I will do so when inserting them into a patterndb to prevent parse
errors. Every message in this group begins with this string on one line:
sockd[@NUMBER:pid:@]: @ESTRING:action::@ @ESTRING:phase::@
@IPv4:src:@. at NUMBER:srcport:@ ->
Then there are a few different endings which happen in some messages
that are giving me problems to decode. Here are three examples from my
collected logs:
smarthost.company.com.25
host.team.division.company.com.18050: invalid address: 0.0.0.0.18050
company.com.443: Connection reset by peer
I am having a hard time figuring out how to break these up into domain
name (src / dst as appropriate) and port (srcport / dstport).
My best thought so far was to detect this and rewrite them using PCRE
before applying patterndb matching. I could find the .[0-9]+ and replace
with :\1, then I have the port delimited with ':' and I can pull it
apart using:
@ESTRING:src::@@NUMBER:srcport:@
Is it possible to do PCRE replacement using backreferences? Or is there
another way to get this to work?
Thanks,
Matthew.
More information about the syslog-ng
mailing list