[syslog-ng] Sawmill and Syslog-NG template() string
Scheidler, Balázs
balazs.scheidler at balabit.com
Wed May 31 11:57:06 UTC 2017
The timestamp is probably best formatted using $ISODATE.
On May 31, 2017 10:16 AM, "Francesco Rolando" <ogekuri at gmail.com> wrote:
> Hi all,
> I'm working with Sawmill log collector that it's able to import the
> Syslog-NG logs.
>
> I have to export logs with a specific template() to have them corretly
> imported into Sawmill.
>
> Here the regular expression used to match syslog-ng lines inside the
> Sawmill parser (that seem coded by "BalaBit IT Security"):
> '^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9])T([0-9][0-9]:[
> 0-9][0-9]:[0-9][0-9])[-+][0-9][0-9]:*[0-9][0-9] ([^ ]+) ([^ ]+) ([^ ]+)
> (.*)$'
> where matches are imported as:
> 1- date
> 2- time
> 3- logging_device
> 4- syslog_message_type
> 5- syslog_priority
> 6- v.syslog_message
>
> I have partially re-create the template() string but I still have a couple
> of doubts:
> template("${YEAR}-${MONTH}-${DAY}T${HOUR}:${MIN}:${SEC}+??:?? ${SOURCEIP}
> ${PROGRAM} ${PRIORITY} ${MSG}\n")
>
> Make sense $PROGRAM as "message type"?
> And do you have any ideas for the question marks?
>
> Any help is appreciated. Thank you.
>
> --
> Saluti,
> Francesco.
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170531/b179b142/attachment-0001.html>
More information about the syslog-ng
mailing list