[syslog-ng] Match logs with variable lengths
Mik J
mikydevel at yahoo.fr
Wed Dec 7 01:54:16 UTC 2022
Hello,
I'm new to syslog-ng and I'm trying to match my DNS logs.
I have either
Dec 6 01:44:49 mydnsserver named[66669]: client @0x53f33c122d0 1.2.3.4#56610 (my.original.query.com): query: my.qname.com IN A -E(0)DC (1.1.1.1)
or
Dec 6 01:44:49 mydnsserver named[66669]: client @0x53f33c122d0 1.2.3.4#56610 (my.original.query.com): query: my.qname.com IN A -E(0)DC (1.1.1.1) [ECS 192.168.0.0/24/0]
So the field [ECS 192.168.0.0/24/0] is optional and either exist or not
To match fields I use this pattern
<pattern>client @@@ESTRING:dns_clientid: @@IPvANY:src_ip@#@NUMBER:src_port@ (@ESTRING:dns_original_query:)@: query: @ESTRING:dns_qname: @IN @ESTRING:dns_type: @@ESTRING:dns_record_flags: @(@IPvANY:dns_server@)</pattern>
and it matches both lines for the existing fields
But how can I match this optional part at the end of the line: [ECS 192.168.0.0/24/0]
Should I use @PCRE@ ? Or is it possible with other pattern parsers
If yes why use other pattern parsers and not build the matching around @PCRE@ for the entire line which would make think simple to translate from grok or other tools.
Thank you
More information about the syslog-ng
mailing list