[syslog-ng] Adding new fields to existing logs

Robert Fekete (rfekete) Robert.Fekete at oneidentity.com
Wed Oct 9 07:30:08 UTC 2019 

Hi,

Since it seems you are trying to modify the header of the message, I think the easiest would be to use a template in your destination. That way you could easily insert what you need from strings or macros, see http://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/administration-guide/template-and-rewrite-format-modify-and-manipulate-log-messages/customize-message-format-using-macros-and-templates/templates-and-macros

So you'll end up with a template like (or with a macro instead of the Ruckus part if you want to set that dynamically):
template("${ISODATE} Ruckus VirtualSmartZone ${HOST} ${MESSAGE}\n")

HTH,
Robert

________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Allen Olivas <allen.olivas at infodefense.com>
Sent: Wednesday, October 9, 2019 01:04
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Adding new fields to existing logs

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello,

I need to add some new fields to an existing log before it gets sent to its destination. I’m trying to decode these logs with Wazuh and will need some unique fields in the beginning of the message so I can successfully prematch my decoder.

I was looking through previous cases and saw the comments on Regular Expressions in rewrite. After studying those posts to this mailing list (https://lists.balabit.hu/pipermail/syslog-ng/2019-August/025392.html<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fpipermail%2Fsyslog-ng%2F2019-August%2F025392.html&data=02%7C01%7Crobert.fekete%40oneidentity.com%7C851c621266bc45b79bcb08d74c43d3c7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637061726519260511&sdata=9MBzIP7F9YZ7liQAcKouikSyf5JU1Sv8lBpdPpUlXrE%3D&reserved=0>) and reviewing the documentation I’m pretty sure this can be done, just not sure how to start, to use a macro or no macro, template or no template.

Here are  the specifics:

Raw log file snippet:  “Oct  1 13:48:01 SOME-DEVICE-HOSTNAME Core: Last message….”

I would like to add something like “Ruckus VirtualSmartZone” to the log before SOME-DEVICE-HOSTNAME. So the new log entry that goes to the destination looks like

“Oct  1 13:48:01  Ruckus VirtualSmartZone  SOME-DEVICE-HOSTNAME Core: Last message…”

Do I need to write a filter (with regex) to screen for the time stamp and hostname, then rewrite it to add that entry “Ruckus VirtualSmartZone”?
Or if not how best to approach this?

Thanks,

Allen Olivas

More information about the syslog-ng mailing list