Hi Jochen,
First of all, thanks again for taking your time. Its very highly
appreciated :)
Ok sure, from a bash script, the GELF is generated like this:
FILES=$(/bin/cat /var/log/avscanoutputfile | /bin/grep ^/)
echo -e '{
"version": "1.1",
"host":"'${HOSTNAME}'",
"short_message":"Clam AV Scan",
"level":6,
... #Alot of other customrows that are not regarding
this matter.
"_clamav_infeced_files":"'${FILES}'"
"_clamav_infected":"'${number of infected files}'"
}\0' | nc -w 1 theserver.company.net 12201
The avscanoutputfile which is read into FILE var above, looks like this:
-------------------------------------------------------------------------------
/var/log/syslog.1: Eicar-Test-Signature FOUND
/home/JIMBOB/Desktop/Untitled Document: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4745906
Engine version: 0.99
Scanned directories: 39075
Scanned files: 209569
Infected files: 2
Data scanned: 11207.61 MB
Data read: 891244.70 MB (ratio 0.01:1)
Time: 734.572 sec (12 m 14 s)
The big issue here is that I need each line (such as /var/log/syslog.1:
Eicar-Test-Signature FOUND) to be a separate field in above GELF.
Something like:
echo -e '{
"version": "1.1",
"host":"'${HOSTNAME}'",
"short_message":"Clam AV Scan",
"level":6,
... #Alot of other customrows that are not regarding
this matter.
"_clamav_infeced_file1":"/var/log/syslog.1:
Eicar-Test-Signature FOUND"
"_clamav_infeced_file2":"/home/JIMBOB/Desktop/Untitled Document:
Eicar-Test-Signature FOUND"
"_clamav_infected":"'${number of infected files}'"
}\0' | nc -w 1 theserver.company.net 12201
The issue here is that i don't know if there is 0 lines that matched the
FILES grep above, or 20.
I guess this turns out to be more of a bash scripting issue now, but i
really need a reliable way to read each line of that file into a separate
field.
Any suggestions are highly appreciated.
Thanks,
R
Den onsdag 24 augusti 2016 kl. 11:30:21 UTC+2 skrev Jochen Schalanda:
>
> Hi,
>
> splitting a message into multiple messages according to the pattern you've
> mentioned is kind of hard.
>
> I would (still) recommend changing the generation of the GELF messages at
> the source and send one GELF message for each infected/found file. If you
> tell us, how you generate the GELF messages and how the source for those
> looks like, we might be able to give you some advice how and what to change.
>
> Cheers,
> Jochen
>
> On Tuesday, 23 August 2016 21:01:41 UTC+2, ravedog wrote:
>>
>> Hi,
>>
>> Just installed graylog server to handle my logging needs. However, I
>> bumped into an issue id be grateful for some help with.
>>
>> So i'm creating GELF messages and sending them to the graylog server.
>> The GELFS are containing variables, but expanded they could look like
>> this inside the GELF:
>>
>> ...
>> "_clamav_infected":"1",
>> "_clamav_infected_files":"/path/to/files: name-of-virus FOUND",
>> ...
>>
>> So the field called "_clamav_infected_files" above will constantly
>> contain the same three field pattern.
>>
>> - /path/to/file = Always unix format, beginning with "/" and ending
>> with ":".
>> - name-of-virus = will in all cases i have seen be worded together
>> without any space, using "." or "-" instead (example Very-Nasty.Virus-XZY)
>> - FOUND = Static word.
>>
>>
>> This is working great and exactly as I wanted. However, I have bumped in
>> to issues when several of these patterns are in the same field.
>> Say for example that two viruses has been found, in that case the above
>> example will look like this:
>>
>> ...
>> "_clamav_infected":"1",
>> "_clamav_infected_files":"/path/to/file1: name-of-virus1 FOUND
>> /path/to/file2: name-of-virus2 FOUND",
>> ...
>>
>> I know this is sub-par as far as filling out a field goes, but I wonder
>> if there is any way I can match this and get this sorted from inside
>> graylog?
>> So that every pattern starting with "/" ending with "FOUND" would get a
>> new field by an extractor, regardless if there is 1 pattern like this, or
>> 10.
>>
>> Any suggestions on if this is possible?
>>
>> Talked to the guys at graylog Feenode IRC today and they pointed me
>> towards changing the source incoming, but i'm curious to see if there is
>> any other way than that.
>> I also got a suggestion as to use grok for this, i was succeeding in
>> sorting the first pattern in to separate fields (so "path" into a new field
>> and "virus name" into a new field) but never the the full pattern as one
>> field and never more than the first instance of the pattern.
>>
>> Thanks in advance!
>>
>> /R
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/0279e54e-3926-496e-b3c5-6ed20e04c5fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
