[syslog-ng] Parsing Question

Brandon Phelps bphelps at gls.com
Fri Jul 29 16:44:26 CEST 2011


Hello All,

Could anyone explain how I would parse a message that looks like this:
Jul 29 08:58:38 192.168.1.1 id=firewall sn=0017C5158708 time="2011-07-29 
08:58:38" fw=100.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=0 
src=192.168.2.100:123:X0 dst=74.1.2.3:X1 proto=udp/ntp

I am logging to mysql and would like to extract the 'src' and 'dst' 
fields from the above message so that I can insert them into indexed 
fields in my database.  Currently my destination looks like this:

destination d_mysql {
         sql(
                 type(mysql)
                 host("localhost")
                 username("myusername")
                 password("mypassword")
                 database("syslog")
                 table("logs")
                 columns("host", "facility", "priority", "level", "tag", 
"datetime", "program", "msg")
                 values("$HOST_FROM", "$FACILITY", "$PRIORITY", 
"$LEVEL", "$TAG", "$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC", "$PROGRAM", "$MSG")
                 indexes("host", "facility", "priority", "datetime", 
"program")
         );
};

This table (logs) also has source_ip and destination_ip fields which are 
currently unused since I don't know how to extract that from the 
message.  For the above example, I would want those fields to contact 
'192.168.2.100' and '74.1.2.3' respectively.

Is my only option in this case to write a perl script or something that 
watches a named pipe and have syslog-ng log to the named pipe instead, 
while my perl script does the actual parsing?  Or can I do what I want 
with syslog-ng alone?

Any help would be greatly appreciated.

Thanks,
Brandon


More information about the syslog-ng mailing list