[syslog-ng] RFC: syslog-parser
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 24 21:05:50 CEST 2012
Hi,
I've figured it is not nice from me that I keep pushing stuff to
"master" without getting proper review from the list. So here's a
attempt to change that.
I've just pushed an experimental patch to the "syslog-parser" branch on
github that allows the syslog parsing functionality to be used as a
syslog-ng parser:
https://github.com/balabit/syslog-ng-3.4/tree/syslog-parser
Here's a short description on why this is useful (quoting the commit
message):
This patch creates a new parser, to explicitly parse messages as syslog
messages. This can be used to selectively parse these messages based on
some filters.
Imagine this use-case:
log {
source {
udp(port(2000) flags(no-parse));
};
parser {
log {
junction {
log {
filter { netmask("127.0.0.1/32"); };
parser { syslog-parser(); };
flags(final);
};
log {
filter { netmask("127.0.0.2/32"); };
parser { csv-parser(columns("C1", "C2", "C3")); };
flags(final);
};
};
};
};
destination {
file("/home/bazsi/logs/qqq" template("$(format-json --key *)\n"));
};
};
Messages from 127.0.0.1 will get parsed as syslog messages, while 127.0.0.2
as a csv-parser() style messages.
I'd welcome any kind of feedback, code or functionality wise. I still
have some stuff to fix in this, but after initial feedback I'm going to
merge it to master.
Thanks in advance.
--
Bazsi
More information about the syslog-ng
mailing list