[syslog-ng] MongoDB destination driver
Gergely Nagy
algernon at balabit.hu
Mon Jan 3 22:02:48 CET 2011
> The patch looks good on first read, but I'll have a closer look tonight,
> and run a quick benchmark aswell, if all goes well.
The patch looked fine on the second read too, and I integrated it, with
a few changes:
Instead of using a flag, I introduced a patterndb_key("foo") setting,
which, if turned on, will put the patterndb results under the specified
key, as a sub-document. If not specified, it will do nothing extra.
In my opinion, this solution is clearer, and results in a better
structured log entry.
Usage is like this:
destination d_mongo {
mongodb(
patterndb_key("patterndb")
);
};
The resulting log entry in mongodb looks something like this:
> db.logs.find()
{ "_id" : ObjectId("4d2235525edd07af78f648f9"), "date" : "2011-01-03 21:45:06", "facility" : "auth",
"level" : "info", "host" : "localhost", "program" : "sshd", "pid" : "12674",
"message" : "Accepted publickey for algernon from ::1 port 59690 ssh2",
"patterndb" : {
".classifier.class" : "system",
".classifier.rule_id" : "4dd5a329-da83-4876-a431-ddcb59c2858c",
"usracct.authmethod" : "publickey for algernon from ::1 port 59690 ssh2",
"usracct.username" : "algernon from ::1 port 59690 ssh2",
"usracct.device" : "::1 port 59690 ssh2",
"usracct.service" : "ssh2",
"usracct.type" : "login",
"usracct.sessionid" : "12674",
"usracct.application" : "sshd",
"secevt.verdict" : "ACCEPT"
}
}
{ "_id" : ObjectId("4d2235525edd07af78f648fa"), "date" : "2011-01-03 21:45:06", "facility" : "authpriv",
"level" : "info", "host" : "localhost", "program" : "sshd", "pid" : "12674",
"message" : "pam_unix(sshd:session): session opened for user algernon by (uid=0)",
"patterndb" : { ".classifier.class" : "unknown" }
}
As you can see, the second log entry is not recognised by patterndb,
thus only an unknown classifier.class is logged, and nothing else.
It also highlights a few problems in the patterndb I used for sshd,
namely that it doesn't like ipv6 all that much.
The changes are now pushed to my repository. I'll do a couple of
benchmarks later tonight.
--
|8]
More information about the syslog-ng
mailing list