Reputation: 11
Parsing structured syslog with syslog-ng
I am trying to leverage the parsing of structured data feature in syslog-ng. From my firewall, I am forwarding the following message:
<14>1 2012-10-06T11:03:56.493 SRX100 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="TCP FIN" source-address="192.168.199.207" source-port="59292" destination-address="184.73.190.157" destination-port="80" service-name="junos-http" nat-source-address="50.193.12.149" nat-source-port="19230" nat-destination-address="184.73.190.157" nat-destination-port="80" src-nat-rule-name="source-nat-rule" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-to-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9375" packets-from-client="9" bytes-from-client="4342" packets-from-server="7" bytes-from-server="1507" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vlan.0"]
Based on the format of the IETF logs, it appears to be correct, but for some reason the structured data is actually being parsed as the message portion of the log and not being parsed as structured data.
Upvotes: 0
Views: 1707
Answers (1)
Reputation: 71
On the syslog-ng side, you need to use either a syslog() source, or a tcp() source with flags(syslog-proto) set, and then the stuff will end up in variables like ${[email protected]} and so on and so forth, which then you can use as you see fit.
Upvotes: 1
Related Questions
- Consolidated RegEx to parse syslog data
- Confused with syslog message format
- Regex Help in Parsing Syslog
- syslog-ng json parser does nothing
- Regex in syslog template
- Syslog-ng custom parser
- Syslog Parsing Using PyParsing
- How to parse a syslog message with pyparsing
- How to parse syslog messages in a syslog4j syslog server
- Extract data from structured syslog