[syslog-ng] challenges with SDATA

Balazs Scheidler bazsi77 at gmail.com
Tue Oct 9 08:41:14 CEST 2012 

hi,

It seems you are receiving those messages via no-parse flag, or something like udp() source driver.

you need to use the syslog() source driver to tell syslog-ng to expect the rfc5424 format and parse it properly.

----- Original message -----
> I have successfully written parsers for unstructured logs, but would
> like to be able to leverage SDATA. Based on what I have researched so
> far, I have built the following skeleton conf file for writing to mongodb
> 
> #####Filter#####
> filter f_session_close {message("RT_FLOW_SESSION_CLOSE");};
> 
> #####Destinations#####
> 
> destination d_mongodb_close {
>     mongodb(
>         collection("close")
>         value-pairs(
>             scope(rfc5424 sdata)
>         )
>     );
> };
> 
> #####Log#####
> log {
>     source(s_network);
>     filter(f_session_close);
>     destination(d_mongodb_close);
> };
> 
> With this in mind, I get the following logs with only the rfc5424 scope:
> 
>     "DATE" : "Oct   5 20:40:21",
>     "FACILITY" : "user",
>     "HOST" : "192.168.199.2",
>     "MESSAGE" : "2012-10-05T20:40:20.444 SRX100 RT_FLOW -
> RT_FLOW_SESSION_CREATE [junos at 2636.1.1.1.2.36
> source-address=\"192.168.199.207\" source-port=\"55625\"
> destination-address=\"130.57.4.24\" destination-port=\"80\"
> service-name=\"junos-http\" nat-source-address=\"50.193.12.149\"
> nat-source-port=\"28178\" nat-destination-address=\"130.57.4.24\"
> nat-destination-port=\"80\" src-nat-rule-name=\"source-nat-rule\"
> dst-nat-rule-name=\"None\" protocol-id=\"6\"
> policy-name=\"trust-to-untrust\" source-zone-name=\"trust\"
> destination-zone-name=\"untrust\" session-id-32=\"61189\"
> username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"vlan.0\"]",
>     "PRIORITY" : "info",    "PROGRAM" : "1",    "_id" :
> ObjectId("506fa825817f52de65000001")
> 
> When using the SDATA scope, I only get an object id. None of the
> structured data is ever parsed.
> 
> Is there something special I need to do to parse the structured portion
> of the messge? 
> 
> Chris
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> http://www.balabit.com/wiki/syslog-ng-faq
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121009/dff35ef8/attachment.htm

More information about the syslog-ng mailing list