[syslog-ng] challenges with SDATA
Chris Johnson
masterof0 at gmail.com
Sat Oct 6 05:54:56 CEST 2012
I have successfully written parsers for unstructured logs, but would like to be able to leverage SDATA. Based on what I have researched so far, I have built the following skeleton conf file for writing to mongodb
#####Filter#####
filter f_session_close {message("RT_FLOW_SESSION_CLOSE");};
#####Destinations#####
destination d_mongodb_close {
mongodb(
collection("close")
value-pairs(
scope(rfc5424 sdata)
)
);
};
#####Log#####
log {
source(s_network);
filter(f_session_close);
destination(d_mongodb_close);
};
With this in mind, I get the following logs with only the rfc5424 scope:
"DATE" : "Oct 5 20:40:21",
"FACILITY" : "user",
"HOST" : "192.168.199.2",
"MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW - RT_FLOW_SESSION_CREATE [junos at 2636.1.1.1.2.36 source-address=\"192.168.199.207\" source-port=\"55625\" destination-address=\"130.57.4.24\" destination-port=\"80\" service-name=\"junos-http\" nat-source-address=\"50.193.12.149\" nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\" nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"trust-to-untrust\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"61189\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]",
"PRIORITY" : "info",
"PROGRAM" : "1",
"_id" : ObjectId("506fa825817f52de65000001")
When using the SDATA scope, I only get an object id. None of the structured data is ever parsed.
Is there something special I need to do to parse the structured portion of the messge?
Chris
More information about the syslog-ng
mailing list