[syslog-ng] MongoDB destination driver
Gergely Nagy
algernon at balabit.hu
Mon Jan 3 22:28:59 CET 2011
On Mon, 2011-01-03 at 15:14 -0600, Martin Holste wrote:
> Great idea to have a dedicated, user-configurable sub-key. One
> suggestion: I think that key names cannot contain dots in Mongo.
They can. Database names can't contain dots, but collection and key
names can contain pretty much anything.
The example I posted earlier was taken from my mongodb directly, I only
changed the formatting - so yeah, it does allow dots, however suprising
that may be :)
> They don't really make sense because this:
>
> "patterndb" : {
> ".classifier.class" : "system",
> ".classifier.rule_id" : "4dd5a329-da83-4876-a431-ddcb59c2858c",
> "usracct.authmethod" : "publickey for algernon from ::1 port 59690 ssh2",
> "usracct.username" : "algernon from ::1 port 59690 ssh2",
> "usracct.device" : "::1 port 59690 ssh2",
> "usracct.service" : "ssh2",
> "usracct.type" : "login",
> "usracct.sessionid" : "12674",
> "usracct.application" : "sshd",
> "secevt.verdict" : "ACCEPT"
> }
>
> should really look like this:
>
> "patterndb" : {
> "classifier": {
> "class" : "system",
> "rule_id" : "4dd5a329-da83-4876-a431-ddcb59c2858c"
> },
> "usracct": {
> "authmethod" : "publickey for algernon from ::1 port 59690 ssh2",
> "username" : "algernon from ::1 port 59690 ssh2",
> "device" : "::1 port 59690 ssh2",
> "service" : "ssh2",
> "type" : "login",
> "sessionid" : "12674",
> "application" : "sshd",
> },
> "secevt":{
> "verdict" : "ACCEPT"
> }
> }
>
I agree, that would be awesome to have, and I might just go ahead and
implement it, but only as a togglable option (since it requires
additional processing).
> I recognize, however, that this is not a trivial conversion. As a
> start, just doing a simple substitution of "." for "_" on keys would
> probably work just fine.
No need to, dots are fine with mongo.
--
|8]
More information about the syslog-ng
mailing list