[syslog-ng] in-list filter with MESSAGE
Gopi Joshi
gkjoshi at gmail.com
Sun Oct 15 03:33:28 UTC 2017
Thanks Peter and Wernli.
I am trying to use kv parser to extract username from MESSAGE template so
that i can use it to compare further .
from below VPN logs , i am trying to extract value LOCAL\user1 and user1
(value-separator("(") pair-separator(")")
Teardown TCP connection 51507415 for outside:2.2.2.2/60709*(LOCAL\user1l)*
to inside:5,5,5,5/443 duration 0:00:06 bytes 0 Failover primary closed
*(user1)*
i donot see it maching and any value being saved to $KEY1 to refer the
match ,
Below is the conf file .
@version: 3.12
@include "scl.conf"
source s_local {
system();
internal();
};
source s_network { udp(port(514) flags(no-parse));
};
#### PARSER ###
parser p_kv { kv-parser(value-separator("(") pair-separator(")")
prefix("kv."));
};
##### VPN LOG ####
#filter f_users { in-list("/var/syslog-ng/user.list", value("${KEY1}")); };
--- Not in Use at present
filter f-syslog { host("1.1.1.1"); };
destination log-vpntest { file("/var/log/vpn/vpntest.log" perm(0644)
template("$ISODATE $HOST ${kv.KEY1} $KEY1\n") ); };
log {
source(s_network);parser(p_kv);filter(f-syslog);destination(log-vpntest); };
#### VPN LOG ENDS ###
Regards
Gopi Joshi
On Wed, Oct 4, 2017 at 2:54 AM, Czanik, Péter <peter.czanik at balabit.com>
wrote:
> Here is an example for using the inlist filter together with the patterndb
> parser: https://czanik.blogs.balabit.com/2013/09/black-cat-white-cat/ In
> this case patterndb extract IP addresses from log messages which are
> checked using the inlist filter.
>
> Bye,
>
> Peter Czanik (CzP) <peter.czanik at balabit.com>
> Balabit / syslog-ng upstream
> https://www.balabit.com/blog/author/peterczanik/
> https://twitter.com/PCzanik
>
> On Wed, Oct 4, 2017 at 8:14 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
>
>> On Tue, Oct 03, 2017 at 04:10:39PM -0400, Gopi Joshi wrote:
>> > I am trying to filter messages matching text stored in a txt file (plain
>> > txt , exact match , one word each line). but its not working
>>
>> As Péter suggested, you should first extract the username from the
>> MESSAGE,
>> for instance using one of the parsers (kv, csv, db, …), and then apply the
>> in-list filter to that extracted macro
>>
>> Cheers
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=
>> syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20171014/ae2f30c6/attachment.html>
More information about the syslog-ng
mailing list