I am trying to normalize a log to a mysql data base
the messages is appended by
Date time host I do not wnat to add this to my database how do I add that t my rule to parse?
all my other field are separated by an = sign
sample log
Jun 27 02:03:50 10.18.67.1 is what is appeneded
Jun 27 02:03:50 10.18.67.1 date=2019-06-26 time=14:43:11 devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1561581791 srcip=10.18.66.10 srcport=54102 srcintf="VLAN66" srcintfrole="lan" dstip=10.18.70.200 dstport=161 dstintf="VLAN712" dstintfrole="lan" poluuid="c90ba4ee-fd82-51e8-1c37-dcd8078e44b8" sessionid=21893363 proto=17 action="accept" policyid=5 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=77 rcvdbyte=78 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Unknown" unauthuser="admin" unauthusersource="kerberos" mastersrcmac="00:0c:29:eb:3d:87" srcmac="00:0c:29:eb:3d:87" srcserver=1 dstdevtype="Unknown" masterdstmac="00:64:40:dc:0d:c4" dstmac="00:64:40:dc:0d:c4" dstserver=0
rule
rule=: date=%date:word% time=%time:word% devname=%devname:word% devid=%devid:word% logid=%logid:number% type=%type:word% subtype=%subtype:word% level=%level:word% vd=%vd:word% eventtime=%eventtime:number% srcip=%srcip:ipv4% srcport=%srcport:number% srcintf=%srcintf:word% srcintfrole=%srcintfrole:word% dstip=%dstip:ipv4% dstport=%dstport:number" dstintf=%dstintf:word" dstintfrole=%dstintfrole:word% sessionid=%sessionid:number% proto=%proto:number% action=%action:word% policyid=%policyid:number% policytype=%policytype:word% service=%service:word% dstcountry=%dstcountry:word% srccountry=%srccountry:word% trandisp=%trandisp:word% app=%app:word" duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% appcat=%appcat:word% crscore=%crscore:number% craction=%craction:numbr% crlevel=%crlevel:word% devtype=%devtype;word% mastersrcmac=%mastersrcmac:word% srcmac=%srcmac:word% srcserver=%srcserver:number%
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
the messages is appended by
Date time host I do not wnat to add this to my database how do I add that t my rule to parse?
all my other field are separated by an = sign
sample log
Jun 27 02:03:50 10.18.67.1 is what is appeneded
Jun 27 02:03:50 10.18.67.1 date=2019-06-26 time=14:43:11 devname="CSPCFW01-M" devid="FG3H0E5818903304" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1561581791 srcip=10.18.66.10 srcport=54102 srcintf="VLAN66" srcintfrole="lan" dstip=10.18.70.200 dstport=161 dstintf="VLAN712" dstintfrole="lan" poluuid="c90ba4ee-fd82-51e8-1c37-dcd8078e44b8" sessionid=21893363 proto=17 action="accept" policyid=5 policytype="policy" service="SNMP" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=180 sentbyte=77 rcvdbyte=78 sentpkt=1 rcvdpkt=1 appcat="unscanned" devtype="Unknown" unauthuser="admin" unauthusersource="kerberos" mastersrcmac="00:0c:29:eb:3d:87" srcmac="00:0c:29:eb:3d:87" srcserver=1 dstdevtype="Unknown" masterdstmac="00:64:40:dc:0d:c4" dstmac="00:64:40:dc:0d:c4" dstserver=0
rule
rule=: date=%date:word% time=%time:word% devname=%devname:word% devid=%devid:word% logid=%logid:number% type=%type:word% subtype=%subtype:word% level=%level:word% vd=%vd:word% eventtime=%eventtime:number% srcip=%srcip:ipv4% srcport=%srcport:number% srcintf=%srcintf:word% srcintfrole=%srcintfrole:word% dstip=%dstip:ipv4% dstport=%dstport:number" dstintf=%dstintf:word" dstintfrole=%dstintfrole:word% sessionid=%sessionid:number% proto=%proto:number% action=%action:word% policyid=%policyid:number% policytype=%policytype:word% service=%service:word% dstcountry=%dstcountry:word% srccountry=%srccountry:word% trandisp=%trandisp:word% app=%app:word" duration=%duration:number% sentbyte=%sentbyte:number% rcvdbyte=%rcvdbyte:number% sentpkt=%sentpkt:number% appcat=%appcat:word% crscore=%crscore:number% craction=%craction:numbr% crlevel=%crlevel:word% devtype=%devtype;word% mastersrcmac=%mastersrcmac:word% srcmac=%srcmac:word% srcserver=%srcserver:number%
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.