[graylog2] Re: Issues parsing incomming fields in a good way

ravedog Wed, 24 Aug 2016 04:14:20 -0700

Hi Jochen,              

First of all, thanks again for taking your time. Its very highly 
appreciated :)


Ok sure, from a bash script, the GELF is generated like this:

FILES=$(/bin/cat /var/log/avscanoutputfile | /bin/grep ^/)

                echo -e '{
                       "version": "1.1",
                       "host":"'${HOSTNAME}'", 
                       "short_message":"Clam AV Scan", 
                       "level":6, 
                       ... #Alot of other customrows that are not regarding 
this matter.
                       "_clamav_infeced_files":"'${FILES}'"
                       "_clamav_infected":"'${number of infected files}'"
                       }\0' | nc -w 1 theserver.company.net 12201

The avscanoutputfile which is read into FILE var above, looks like this:




-------------------------------------------------------------------------------

/var/log/syslog.1: Eicar-Test-Signature FOUND
/home/JIMBOB/Desktop/Untitled Document: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4745906
Engine version: 0.99
Scanned directories: 39075
Scanned files: 209569
Infected files: 2
Data scanned: 11207.61 MB
Data read: 891244.70 MB (ratio 0.01:1)
Time: 734.572 sec (12 m 14 s)

The big issue here is that I need each line (such as /var/log/syslog.1: 
Eicar-Test-Signature FOUND) to be a separate field in above GELF. 

Something like:
                echo -e '{
                       "version": "1.1",
                       "host":"'${HOSTNAME}'", 
                       "short_message":"Clam AV Scan", 
                       "level":6, 
                       ... #Alot of other customrows that are not regarding 
this matter.
                       "_clamav_infeced_file1":"/var/log/syslog.1: 
Eicar-Test-Signature FOUND"
                      
 "_clamav_infeced_file2":"/home/JIMBOB/Desktop/Untitled Document: 
Eicar-Test-Signature FOUND"
                       "_clamav_infected":"'${number of infected files}'"
                       }\0' | nc -w 1 theserver.company.net 12201

The issue here is that i don't know if there is 0 lines that matched the 
FILES grep above, or 20. 

I guess this turns out to be more of a bash scripting issue now, but i 
really need a reliable way to read each line of that file into a separate 
field.

Any suggestions are highly appreciated.

Thanks,
R

(EDIT: all the previous text was included, removed and re added the answer)

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/43630667-4290-41d7-8219-cd87a713b36d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Issues parsing incomming fields in a good way

Reply via email to