[syslog-ng] Filtering binary data fields and catch all
Xuri Nagarin
secsubs at gmail.com
Sat May 18 02:35:43 CEST 2013
Hi,
My log source sends data over syslog in CEF (Arcsight format).
I have a simple parser written in Syslog-NG that takes advantage of the CEF
format (that is all messages are in eight fields separated by a pipe char).
-----------xxxxxxxxxxxxxxxxx-------------------
parser p_cef {
csv-parser(columns("cef.ff","cef.vendor","cef.product","cef.c4","cef.c5","cef.c6","cef.c7","cef.c8")
delimiters("|")
flags(drop-invalid)
);
};
destination d_file {
file("/var/log/net/${cef.vendor}/${cef.product}/logfile"); };
log { source(s_tcp); parser(p_cef); destination(d_file); };
-----------xxxxxxxxxxxxxxxxx-------------------
Some events coming in contain binary data that get translated into control
characters and create thousands of directories with garbage in the names.
How do I handle binary data in the message? Should I use the sanitize
function in the destination/file definition or is there a better way to do
it?
Also, how do I create a catch-all destination for all the messages that do
not match my parser?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130517/dcc2122f/attachment.htm
More information about the syslog-ng
mailing list