[syslog-ng] help with SDATA
Gergely Nagy
algernon at balabit.hu
Fri Feb 10 14:11:48 CET 2012
Chris Johnson <masterof0 at gmail.com> writes:
> Based on the following structured syslog, I am trying to extract the reason from the SDATA portion of the log.
>
> 2012-02-05T16:24:45.368 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos at 2636.1.1.1.2.36 reason=\”unset\” ]
>
> Problem I think I am running into is the value-pair that I am trying to extract includes the dots so the parser thinks its nested information
>
> destination d_mongodb {
> mongodb(
> value-pairs(
> scope("everything")
> key(".SDATA.junos at 2636.1.1.1.2.36.reason")
> )
> );
> };
>
>
> Thoughts? Any help is greatly appreciated.
I just tried this with syslog-ng 3.4, without the key() (because
scope("everything") already includes the key), and the reason ended up
like this:
> db.messages.find({}, {_SDATA: 1, _id: 0})
{ "_SDATA" : { "junos at 2636" : { "1" : { "1" : { "1" : { "2" : { "36" : { "reason" : "unset" } } } } } } } }
This does look awkward, indeed. If you just want the reason, with a
better key name, then the best you can do at the moment is to use
something like the following:
value-pairs (
pair("SDATA.junos at 2636-1-1-1-2-36.reason",
"${.SDATA.junos at 2636.1.1.1.2.36.reason}")
scope("base")
);
The same should work in 3.3, too. If it doesn't, then I screwed
something up terribly.
Nevertheless, an easy way to replace recurring patterns in a value-pair
key name would be neat, and would fit into the key rewrite feature
already in 3.4... I'll think about this a little more.
--
|8]
More information about the syslog-ng
mailing list