[syslog-ng] grouping-by question

Газин Максим Алексеевич Maksim.Gazin at rt.ru
Tue Jun 11 15:03:02 UTC 2019 

Hello,


I'm new to syslog-ng, and I'm having some trouble.

I want to use syslog-ng to aggregate similar events from our firewalls. I use the grouping-by parser to create an aggregated event, but I have a question, how do I get only aggregated events on the output without source ones?



My configuration:



parser p_patterndb {

        db-parser(file("/etc/syslog-ng/conf.d/forti.xml"));

        };



log {

        source {

          file("/tmp/in.log" flags(no-parse));

        };

       parser {

          kv_parser (prefix("forti."));

          grouping-by(

                key("${forti.devname}${forti.srcip}${forti.dstip}${forti.dstport}")

                scope("process")

                timeout(15)

                aggregate(

                  value("MESSAGE" "aggegated devname=${forti.devname} srcip=${forti.srcip} dstip=${forti.dstip} dstport=${forti.dstport} count=$(context-length)")

                  inherit-mode("context")

                )

                 );

                };

        destination {

          file("tmp/out.log");

          };

  };

My current output:

Jun  8 08:42:27 centos7-1 <15>Jun 10 16:10:02 fw01 fw: logver=56 devname="fw01" devid=" " vd="" date=2019-06-04 time=15:53:34 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1559652814 srcip=172.26.104.3 srcport=62444 srcintf="ae1.2051" srcintfrole="lan" dstip=172.16.104.219 dstport=9092 dstintf="ae0.2099" dstintfrole="lan" sessionid=3465151973 proto=6 action="deny" policyid=0 policytype="policy" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
Jun  8 08:42:27 centos7-1 <15>Jun 10 16:10:02 fw01 fw: logver=56 devname="-fw01" devid="" vd=" " date=2019-06-04 time=15:53:34 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1559652814 srcip=172.26.104.3 srcport=62444 srcintf="ae1.2051" srcintfrole="lan" dstip=172.16.104.219 dstport=9092 dstintf="ae0.2099" dstintfrole="lan" sessionid=3465151973 proto=6 action="deny" policyid=0 policytype="policy" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
crscore=30 craction=131072 crlevel="high"
Jun  8 08:42:28 centos7-1 aggegated devname=fw01 srcip=172.26.104.3 dstip=172.16.104.219 dstport=9092 count=3

What I want:
Jun  8 08:42:28 centos7-1 aggegated devname=fw01 srcip=172.26.104.3 dstip=172.16.104.219 dstport=9092 count=3

Any guidance would be very much appreciated.

Maxim Gazin     |              Senior security engineer              |              Rostelecom


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190611/6ca64e1a/attachment.html>

More information about the syslog-ng mailing list