[syslog-ng] Using custom parser with only a subset of udp traffic

Faine, Mark R. (MSFC-IS40)[NICS] mark.faine at nasa.gov
Thu May 20 14:55:23 UTC 2021


Hopefully one of you can help me figure this out.   All of my udp traffic is coming in through one source (network driver), some of it is firewall data but I have to filter it out based on where it is coming from and other fields in the log data.  I want to use the csv_parser here since it would make it easier for me to get the data I need from the firewall data.  Does this require splitting my one source into two sources, since I would need to use flags('no-parse') on a firewall data source?   I also think this means that I can't use a single log path to process both sources?  Also, how to prevent potential duplication since the non-firewall source will still receive the firewall traffic and try to process it with syslog-parser.

I think the flow is something like this:

                        firewall source -> custom parser -> filters ->rewrites 
                      /                                                                                          \
all_data ->                                                                                                 \  -> destination
                    \                                                                                            /
                     all udp source -> filters -> rewrites                             /

I understand this is a bit complex to answer simply, I'm mostly looking for answers to the above questions as well as high level guidance for how to proceed.

Thanks,
-Mark


More information about the syslog-ng mailing list