Hi Jochen,
First of all, thanks again for taking your time. Its very highly
appreciated :)
Ok sure, from a bash script, the GELF is generated like this:
FILES=$(/bin/cat /var/log/avscanoutputfile | /bin/grep ^/)
echo -e '{
"version": "1.1",
"host":"'${HOSTNAME}'",
"short_message":"Clam AV Scan",
"level":6,
... #Alot of other customrows that are not regarding
this matter.
"_clamav_infeced_files":"'${FILES}'"
"_clamav_infected":"'${number of infected files}'"
}\0' | nc -w 1 theserver.company.net 12201
The avscanoutputfile which is read into FILE var above, looks like this:
-------------------------------------------------------------------------------
/var/log/syslog.1: Eicar-Test-Signature FOUND
/home/JIMBOB/Desktop/Untitled Document: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4745906
Engine version: 0.99
Scanned directories: 39075
Scanned files: 209569
Infected files: 2
Data scanned: 11207.61 MB
Data read: 891244.70 MB (ratio 0.01:1)
Time: 734.572 sec (12 m 14 s)
The big issue here is that I need each line (such as /var/log/syslog.1:
Eicar-Test-Signature FOUND) to be a separate field in above GELF.
Something like:
echo -e '{
"version": "1.1",
"host":"'${HOSTNAME}'",
"short_message":"Clam AV Scan",
"level":6,
... #Alot of other customrows that are not regarding
this matter.
"_clamav_infeced_file1":"/var/log/syslog.1:
Eicar-Test-Signature FOUND"
"_clamav_infeced_file2":"/home/JIMBOB/Desktop/Untitled Document:
Eicar-Test-Signature FOUND"
"_clamav_infected":"'${number of infected files}'"
}\0' | nc -w 1 theserver.company.net 12201
The issue here is that i don't know if there is 0 lines that matched the
FILES grep above, or 20.
I guess this turns out to be more of a bash scripting issue now, but i
really need a reliable way to read each line of that file into a separate
field.
Any suggestions are highly appreciated.
Thanks,
R
(EDIT: all the previous text was included, removed and re added the answer)
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/43630667-4290-41d7-8219-cd87a713b36d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.