[syslog-ng] Sawmill and Syslog-NG template() string
Francesco Rolando
ogekuri at gmail.com
Wed May 31 08:16:31 UTC 2017
Hi all,
I'm working with Sawmill log collector that it's able to import the
Syslog-NG logs.
I have to export logs with a specific template() to have them corretly
imported into Sawmill.
Here the regular expression used to match syslog-ng lines inside the
Sawmill parser (that seem coded by "BalaBit IT Security"):
'^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[0-9][0-9]:[0-9][0-9])[-+][0-9][0-9]:*[0-9][0-9]
([^ ]+) ([^ ]+) ([^ ]+) (.*)$'
where matches are imported as:
1- date
2- time
3- logging_device
4- syslog_message_type
5- syslog_priority
6- v.syslog_message
I have partially re-create the template() string but I still have a couple
of doubts:
template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC}+??:?? ${SOURCEIP}
${PROGRAM} ${PRIORITY} ${MSG}\n")
Make sense $PROGRAM as "message type"?
And do you have any ideas for the question marks?
Any help is appreciated. Thank you.
--
Saluti,
Francesco.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170531/066b8379/attachment.html>
More information about the syslog-ng
mailing list