[syslog-ng] Parsing Question
Brandon Phelps
bphelps at gls.com
Fri Jul 29 16:44:26 CEST 2011
Hello All,
Could anyone explain how I would parse a message that looks like this:
Jul 29 08:58:38 192.168.1.1 id=firewall sn=0017C5158708 time="2011-07-29
08:58:38" fw=100.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=0
src=192.168.2.100:123:X0 dst=74.1.2.3:X1 proto=udp/ntp
I am logging to mysql and would like to extract the 'src' and 'dst'
fields from the above message so that I can insert them into indexed
fields in my database. Currently my destination looks like this:
destination d_mysql {
sql(
type(mysql)
host("localhost")
username("myusername")
password("mypassword")
database("syslog")
table("logs")
columns("host", "facility", "priority", "level", "tag",
"datetime", "program", "msg")
values("$HOST_FROM", "$FACILITY", "$PRIORITY",
"$LEVEL", "$TAG", "$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC", "$PROGRAM", "$MSG")
indexes("host", "facility", "priority", "datetime",
"program")
);
};
This table (logs) also has source_ip and destination_ip fields which are
currently unused since I don't know how to extract that from the
message. For the above example, I would want those fields to contact
'192.168.2.100' and '74.1.2.3' respectively.
Is my only option in this case to write a perl script or something that
watches a named pipe and have syslog-ng log to the named pipe instead,
while my perl script does the actual parsing? Or can I do what I want
with syslog-ng alone?
Any help would be greatly appreciated.
Thanks,
Brandon
More information about the syslog-ng
mailing list